Proxy problem

matthgyver · 10 June 2024 16:18

Hello,

I’m on MAAS 3.4.2 deployed with SNAP. I’ve one region controler and one rack controler. This two nodes have a network interface in a same subnet. My rack controler have another interface in a private network used for commissioning.
Commissioning fail with this error E: Unable to locate package lldpd
In this case, I see that the best option is to disable the proxy but I can’t because the machine that I’d like to commission have no internet access.
I see that the problem is on proxy in the region controller. There is the logs :

proxy/access.log

1718033009.296      1 XXX.XXX.XXX.188 TCP_MISS/403 2127 GET http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease - HIER_NONE/- text/html
1718033009.296      1 XXX.XXX.XXX.188 TCP_MISS/403 2148 GET http://XXX.XXX.XXX.189:8000/squid-internal-periodic/store_digest - HIER_NONE/- text/html

proxy.log

2024/06/10 17:31:46| WARNING: Forwarding loop detected for:
GET /ubuntu/dists/jammy-security/InRelease HTTP/1.1
User-Agent: curl/7.81.0
Accept: */*
Via: 1.1 None (squid/5.7)
Cache-Control: max-age=0
Connection: keep-alive
Host: archive.ubuntu.com

And there is the logs of the proxy on rack controller:

proxy/access.log

1718033728.382      1 10.XXX.XX.215 TCP_MISS/403 2211 GET http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease - FIRSTUP_PARENT/XXX.XXX.XXX.189 text/html

proxy.log

2024/06/10 17:34:37| temporary disabling (Forbidden) digest from XXX.XXX.XXX.189

I don’t understand why I’ve this error.
From the commissionned machine, if I do a curl -x http://<rack private interface>:8000 http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease I got an 
Now, from the rack server, if I do a curl -x http://<region interface>:8000 http://archive.ubuntu.com/ubuntu/dists/jammy-security/InRelease I got the expected response.
After that, if I relaunch a curl from the commissionned machine, I got the expected response only for this URL.
I see that as long as the answer is not in the region controler cache, I have an access denied.
Have you an idea about this problem please ?

Thank you

wyattrees · 10 June 2024 21:33

Hi @matthgyver, thanks for reaching out! Sorry you’re having issues with package installs during commissioning. Just to confirm, are you using the MAAS built-in proxy?

matthgyver · 10 June 2024 22:14

Hi @wyattrees ,
Yes I’m using MAAS built-in proxy

wyattrees · 11 June 2024 20:59

@matthgyver can you please provide both squid proxy configurations for the rack and region?

matthgyver · 12 June 2024 09:30

@wyattrees Here are the config files:

Region controler

# DO NOT EDIT.  This file is automatically created by MAAS.
# Last updated at 2024-06-11.

# Inspired by UDS's conference proxy

acl maas_proxy_manager proto cache_object
# Make sure that localnet has at least one entry in it, to avoid errors.
acl localnet src 127.0.0.0/8
acl localnet src 138.XXX.XXX.0/24
acl localnet src 10.XXX.XX.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT
http_access allow maas_proxy_manager localhost
http_access deny maas_proxy_manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
http_port 8000
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/Release(|\.gpg)$                        0    0%    0 refresh-ims
refresh_pattern \/InRelease$                              0    0%    0 refresh-ims
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$   0    0%    0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$     0    0%    0 refresh-ims
refresh_pattern .               0       20%     4320
forwarded_for delete
visible_hostname None
cache_mem 512 MB
minimum_object_size 0 MB
maximum_object_size 1024 MB
maximum_object_size_in_memory 100 MB
pid_filename /var/snap/maas/35359/proxy/squid.pid
mime_table /snap/maas/35359/usr/share/squid/mime.conf
pinger_program /snap/maas/35359/usr/lib/squid/pinger
unlinkd_program /snap/maas/35359/usr/lib/squid/unlinkd
logfile_daemon /snap/maas/35359/usr/lib/squid/log_file_daemon
icon_directory /snap/maas/35359/usr/share/squid/icons
error_directory /snap/maas/35359/usr/share/squid-langpack/en
coredump_dir /var/snap/maas/common/proxy/spool
cache_dir aufs /var/snap/maas/common/proxy/cache 40000 16 256
cache_access_log stdio:/var/snap/maas/common/log/proxy/access.log
cache_log /var/snap/maas/common/log/proxy/cache.log
cache_store_log stdio:/var/snap/maas/common/log/proxy/store.log
cache_effective_user snap_daemon
cache_effective_group snap_daemon

Rack controler

# DO NOT EDIT.  This file is automatically created by MAAS.
# Last updated at 2024-06-11.

# Inspired by UDS's conference proxy

acl maas_proxy_manager proto cache_object
# Make sure that localnet has at least one entry in it, to avoid errors.
acl localnet src 127.0.0.0/8
acl localnet src 138.XXX.XXX.0/24
acl localnet src 10.XXX.XX.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT
http_access allow maas_proxy_manager localhost
http_access deny maas_proxy_manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
http_port 8000
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern \/Release(|\.gpg)$                        0    0%    0 refresh-ims
refresh_pattern \/InRelease$                              0    0%    0 refresh-ims
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$   0    0%    0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$     0    0%    0 refresh-ims
refresh_pattern .               0       20%     4320
forwarded_for delete
visible_hostname None
cache_mem 512 MB
minimum_object_size 0 MB
maximum_object_size 1024 MB
maximum_object_size_in_memory 100 MB
pid_filename /var/snap/maas/35359/proxy/squid.pid
mime_table /snap/maas/35359/usr/share/squid/mime.conf
pinger_program /snap/maas/35359/usr/lib/squid/pinger
unlinkd_program /snap/maas/35359/usr/lib/squid/unlinkd
logfile_daemon /snap/maas/35359/usr/lib/squid/log_file_daemon
icon_directory /snap/maas/35359/usr/share/squid/icons
error_directory /snap/maas/35359/usr/share/squid-langpack/en
coredump_dir /var/snap/maas/common/proxy/spool
cache_dir aufs /var/snap/maas/common/proxy/cache 40000 16 256
cache_access_log stdio:/var/snap/maas/common/log/proxy/access.log
cache_log /var/snap/maas/common/log/proxy/cache.log
cache_store_log stdio:/var/snap/maas/common/log/proxy/store.log
cache_effective_user snap_daemon
cache_effective_group snap_daemon
cache_peer 138.XXX.XXX.XXX (Region controler IP) parent 8000 0 no-query default
never_direct allow all

wyattrees · 12 June 2024 16:37

What subnet is the commissioning machine on?

matthgyver · 12 June 2024 17:13

On 10.XXX.XX.0/24.

To give you a more precise idea of my architecture, my rack controler has an interface in this network and another interface in the region controller. Region controler has only one interface.

Thank’s

matthgyver · 17 June 2024 08:55

Hello @wyattrees
Did you see any problem in the configuration ?