New Squid users often ask the same, or similar, questions about getting Squid to forward requests in the right way. Here I'll show you how to configure Squid for some common scenarios.
You simply need to define a parent and tell Squid it isn't allowed to connect directly to origin servers. For example:
cache_peer parent.host.name parent 3128 0 acl All src 0/0 never_direct allow All
The drawback to this configuration is that Squid can't forward cache misses if the parent goes down. If that happens, your users receive the "cannot forward" error message.
Try this configuration:
nonhierarchical_direct off prefer_direct off cache_peer parent.host.name parent 3128 0 default no-query
Or, if you'd like to use ICP with the other proxy:
nonhierarchical_direct off prefer_direct off cache_peer parent.host.name parent 3128 3130 default
With this configuration, Squid forwards all cache misses to the parent as long as it is alive. Using ICP should cause Squid to detect a dead parent quickly, but at the same time may incorrectly declare the parent dead on occasion.
Define an ACL to match the special request:
cache_peer parent.host.name parent 3128 0 acl Special dstdomain special.server.name always_direct allow Special
In this case, cache misses for requests in the special.server.name domain are always sent to the origin server. Other requests may, or may not, go through the parent cache.
Some ISPs (and other organizations) have upstream providers that force HTTP traffic through a filtering proxy (perhaps with HTTP interception). You might be able to get around their filters if you can use a different proxy beyond their network. Here's how you can send only special requests to the far-away proxy:
cache_peer far-away-parent.host.name parent 3128 0 acl BlockedSites dstdomain www.censored.com cache_peer_access far-away-parent.host.name allow BlockedSites never_direct allow BlockedSites