Re: [squid-users] icap_access and external_acl does not work

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 14 Oct 2004 23:05:26 +0200 (CEST)

On Thu, 14 Oct 2004, Christoph Haas wrote:

> Just to be sure: when I run through an "http_access allow ldapgroup42"
> wouldn't then the cache be refreshed?

Yes, at the time of http_access.

> So if I do the icap_access right
> after that I would always have this information in the cache, right?

Provided there is absolutely nothing else withing Squid which delays the
request until icap_access is reached. I am not 100% familiar with where
icap_access is in the code but there is numerous points where requests may
be delayed within Squid

   - http_access acl processing
   - redirectors
   - peer selection
   - and many more.

If I am not mistaken the icap_access is after redirectors, so if you use
redirectors there is an window while the request is being processd by the
redirector where the cached acl infomration may expire between http_access
and icap_access.

> (Assumed that the TTL is greater than the time needed to lookup the LDAP
> group. My TTL is set to 60 seconds.)

The TTL is counted from the time the answer arrives.

> I also assume that this behavior will not be removed shortly. Right?

Which?

The TTL is there permanently.

Over time more and more of the "fast only" acl lookups gets converted to
full acl lookups, allowing Squid to postpone the processing of the request
until the required information is available.

Regards
Henrik
Received on Thu Oct 14 2004 - 15:05:29 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST