[squid-users] Using Squid 2.6 as a reverse proxy, but not for logged in users

From: Dan Moore <mooreds@dont-contact.us>
Date: Wed, 26 Dec 2007 11:11:24 -0700

Hi folks,

Is there any way to tell squid to cache all requests for a page, except
for any pages that are requested by a user with a certain cookie?

I am using Squid 2.6, stable 17. I am trying to set up a reverse proxy
to accelerate a client's website. After reading the conf file and the
ReverseProxy faq page, I have it almost set up correctly. (This is my
first squid installation.) I can see squid caching requests and the
files in the cache directory being written.

It's a simple configuration, with just one squid proxy in front of one
application server (Apache/Tomcat combination, which uses apache virtual
hosts), although if this works well in dealing with load, we might use
more than one proxy.

There are certain urls (like the login/logout response pages) that
should never be cached. I can do that with this line in the squid.conf:

acl LOGOUT_LOGIN_REQUEST urlpath_regex Login.do
cache deny LOGOUT_LOGIN_REQUEST

However, when a user is logged in, I don't want to cache anything--for
that user.

Originally, I was using
acl LOGGEDIN_SESS req_header Cookie [[:space:]]l=
cache deny LOGGEDIN_SESS

Where the cookie with the name 'l' indicates a user has logged in.
(There's another cookie that indicates that a user has logged in as well.)

However, while this works, it appears to remove any pages the user
visits from the cache (for everyone else) as well. That's not what I
intended, but on reading the docs, it seems entirely reasonable: this
ACL "cause[s] the request to not be satisfied from the cache and the
reply to not be cached."

A bit more searching revealed the always_direct header, which I can use
to force squid to direct certain requests to the origin server.

acl LOGGEDIN_SESS req_header Cookie [[:space:]]l=
always_direct allow LOGGEDIN_SESS

I thought that would work, as always sending the request to the origin
server is exactly what I wanted. However, I'm getting a 504 error in
the browser when a user is logged in and requests a page. In the access
log, I see this: "TCP_CLIENT_REFRESH_MISS:DIRECT" in the access logs.
According to http://wiki.squid-cache.org/SquidFaq/SquidLogs, 'DIRECT'
means that "The object was fetched from the origin server". But it was
not returned to the user. However, the parent does not show the request
in its logs, even though it is specified as the 'originserver' in the
cache_peer line.

Should I turn on any particular debugging? I turned on all debugging to
level 8, and saw this message in the logs (twice):

2007/12/26 10:37:51| WARNING: Forwarding loop detected for:
2007/12/26 10:37:51| storeCreateEntry: 'http://stage.chfops.net/'

Googling on that error message revealed that this message happens
whenever Squid seems the same request twice. I theorize that squid gets
the request for stage.chfops.net, views the request header, sees that it
should direct to the origin server, and directs to stage.chfops.net
(rather than reading in the cache_peer line that says that the origin
server is 65.xxx.xxx.xxx and forwarding to that server), which is how
the loop happens.

I read through the FAQ pages and didn't see anything that seemed to
apply, except for the always_direct directive. I googled for
always_direct and "reverse proxy" but didn't see anything. Same results
with searching the squid-users list.

Any ideas or pointers would be appreciated. If what I want to do just
can't be done, I'd appreciate knowing that too.

Thanks for any pointers,
Dan

PS Below is the full text of my squid.conf, configured such that logged
in users get the 504 error (comments, whitespace removed).
--------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl CONNECT method CONNECT
acl our_sites dstdomain stage.chfops.net
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_sites
http_access deny all
icp_access allow all
http_port 80 accel vhost
cache_peer 65.38.188.180 parent 80 0 no-query originserver login=PASS
hierarchy_stoplist cgi-bin ?
acl GWT_RPC urlpath_regex /rs/
cache deny GWT_RPC
acl WRITE_REQUESTS urlpath_regex /rw/
cache deny WRITE_REQUESTS
acl REG_WRITE_REQUESTS urlpath_regex Register.do
cache deny REG_WRITE_REQUESTS
acl LOGOUT_LOGIN_REQUEST urlpath_regex Login.do
cache deny LOGOUT_LOGIN_REQUEST
cache_mem 200 MB
maximum_object_size_in_memory 160 KB
cache_dir ufs /var/cache/squid/cache 3500 16 256
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru
HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
debug_options ALL,1 20,9
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_effective_user nobody
acl LOGGEDIN_PERS req_header Cookie [[:space:]]Password=
always_direct allow LOGGEDIN_PERS
acl LOGGEDIN_SESS req_header Cookie [[:space:]]l=
always_direct allow LOGGEDIN_SESS
coredump_dir /var/spool/squid
--------------
Received on Wed Dec 26 2007 - 11:13:00 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST