Re: [squid-users] cache_peer_access directive problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 06 Jul 2013 03:21:16 +1200

On 5/07/2013 10:00 p.m., Hubeli Daniel wrote:
> Hi all, I'm writing for a small problem.

You have two problems actually...

>
> I have a squid instance (3.3.6) with differents parents:
> cache_peer host11.domain.com parent 8084 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
> cache_peer host12.domain.com parent 8084 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
> cache_peer host21.domain.com parent 9090 0 proxy-only no-query
> cache_peer host31.domain.com parent 8080 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
> cache_peer host32.domain.com parent 8080 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
>

Problem #1 - the above peers are in _two_ groups using *three* selection
types.

Squid will currently select only one peer using a fancy selection
algorithm (either sourcehash OR round-robin) - sourcehash is more
specific and will be used, the round-robin will never even be checked.
Followed by "First-Up" algorithm (all peers get tried in config file
order - first one to work wins). Followed by the default peer (first on
the configured list or marked with "default" option). No peer is listed
twice in the order of attempts. cache_peer_access purpose is to quickly
eliminate peers from selection up front.

You can see the selection algorithm choices in cache.log with
"debug_options 44,2".

Problem #2 is what you noticed ...

> To route the requests to the right parent and to make acls I include external files (include .......file1.conf).
>
> After all the inclusion and some other general settings (squid.conf) I close access to peers:
> cache_peer_access host11.domain.com parent deny all
> cache_peer_access host12.domain.com parent deny all
> cache_peer_access host21.domain.com parent deny all
> cache_peer_access host31.domain.com parent deny all
> cache_peer_access host32.domain.com parent deny all
>
> The includes files look like (just the allow part):
> http_access allow srcservers1 todomains1
> http_access allow srcservers2 todomains2
> cache_peer_access host11.domain.com allow todomains1
> cache_peer_access host12.domain.com allow todomains2
> cache_peer_access host11.domain.com allow todomains1
> cache_peer_access host12.domain.com allow todomains2
>
> In general this solution work great but I've just found out that some rules doesn't work.

That would be all the ACL types marked "slow" in this list, yes?
   http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs

> By debugging a little bit I've discovered the the problem is an include file (as the one just described) that use destination acls with IPs:
>
> if todomains1 is something like "acl todomains1 dstdomain www.sample.com" the "cache_peer_access host11.domain.com allow todomains1" works correctly
> if todomains1 is something like "acl toibmhmc dst 99.99.99.99" the "cache_peer_access host11.domain.com allow todomains1" doesn't work and all the directives of cache_peer_access that follows doesn't working.
>
> Has someone any idea ?

cache_peer_access is a "fast" type access control check.

Amos
Received on Fri Jul 05 2013 - 15:21:32 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 05 2013 - 12:00:11 MDT