Re: [squid-users] external ACL check sporadically failing

On Tue, Apr 15, 2003 at 08:54:30AM +0200, Henrik Nordstrom wrote:
> Alex Tsalolikhin wrote:
> >
> > Hi,
> >
> > Problem: We need to limit access to our Squid installation
> > to ~90,000 specified ip addresses.
> >
> > We've set up an external_acl_type and external acl checker
> > to check the ip address against the flat file listing the
> > permitted ip addresses, and this mostly works, but not always:
> > squid access log occasionally shows TCP_DENIED/403 for IP
> > addresses that _are_ in the allow file and that should have
> > been let through.
> >
> > After adding logging to the external acl checker, I see that
> > the external acl checker was never queried about the ip addreses
> > that got denied.
>
> Odd.. it should have got queried at least once...
>
> Is your problem persistent, or does it help if the user just retries the
> request?

Checking access log I can find an instance where a user
gets a TCP_DENIED/403, and three seconds later gets a
TCP_MISS/000, and two seconds later gets a TCP_MISS/200:

(not real client ip address)

Mon Apr 7 20:56:59 2003 5 0.0.0.1 TCP_DENIED/403 1493 GET ...
Mon Apr 7 20:57:02 2003 3582 0.0.0.1 TCP_MISS/000 0 GET ...
Mon Apr 7 20:57:04 2003 307 0.0.0.1 TCP_MISS/200 3111 GET ...

I can also find other instances where a client ip address
receieved TCP_DENIED/403, and then an hour and a half or two
hour later same client ip got TCP_MISS/200.

The problem is sporadic.

> There is a known bug in 2.5.STABLE2 where external acl lookups
> occationally can give a false negative if there is a second request just
> as the acl lookup of another request with the same acl information is
> being verified, but I do not know of any bugs where the external helper
> is not queried at all.
>
>
> http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE2-concurrent_external_acl

The synopsis for the bug you mention reads (emphasis mine):

    If you are using a external acl BASED ON DATA WHICH CHANGES
    DURING A BROWSING SESSION then false negatives may be seen
    if there is multiple requests immediately after the request
    data used by the acl has changed, or other situations where
    there may be multiple concurrent requests for the same
    external acl lookup.

This does not sound like what we are running into, as our ip list
is updated once a day, and we get these false negatives throughout
the day.

We'll try applying the two external_acl patches for 2.5 in any case.

Thanks!
Alex
Received on Tue Apr 15 2003 - 08:15:18 MDT