ACLs are evaluated short-circuit. If you have this:
acl clientA src 1.2.3.0/24
acl clientB src 1.2.4.0/24
acl youtube (expensive regexp)
acl microsoft (expensive regexp)
http_access deny clientA youtube
http_access deny clientB microsoft
the http_access lines are evaluated in order from top to bottom, and stop being
evaluated across each http_access line if one of the ACLs fails.
So the expensive youtube regexp ACL will only be processed by requests from clientA.
Requests from clientB won't ever hit the youtube ACL lookup.
If you know how to craft ACLs then you can avoid almost all of the penalties.
Adrian
On Tue, Dec 04, 2007, Rishav Upadhaya wrote:
> Hello,
>
> I am new to squid.
>
> Under the following scenario please throw some lights.
>
> I have a small ISP. I have around 50 clients that are basically
> offices. Each clients shares internet in around 10 computers. Some
> offices doesn't requires windows update while some offices doesn't
> requires anti-virus updates. Similarly some offices don't want their
> staff to browse sites like youtube.com.
>
> Instead of telling them how to turn off windows update or Anitvirus
> update I want to control that in server level. I thought of making
> different ACL in my squid server.
>
> Like deny if clients=xyz and site= windows update
> deny if clients=abc and site= youtube.com
> and so on
>
> But my senior told me that making many ACL will hampers squid process.
>
> So I want to know how many ACL is suitable in a single squid server.
> How many ACL is safe enough so as not to hamper squid's process.
>
> Please help.
>
> Thanks in advance
>
> Regards
> Rishav Upadhaya
-- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -Received on Tue Dec 04 2007 - 13:08:57 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST