On Mon, 26 Oct 2009 01:06:21 -0700 (PDT), Frito Lay
<lameventanas@xxxxxxxxx> wrote:
> Hello list,
>
> Some medieval country that shall remain unnamed is blocking access to
some
> specific websites, but the list of websites is huge, dynamic, and not
> public.
>
> I have two proxy servers, one of which is located outside of this
> firewall, but access to this proxy server is slower than to the local
one.
>
> I would like to configure the local proxy to use a peer cache based on
the
> geoip address of the destination.
>
> If the required object belongs to a specific country then the request
will
> go through the second proxy.
>
> I know about the cache_peer_domain option, but I would like to use a
geoip
> based solution.
>
> So this is what I came up with:
>
> external_acl_type GeoIP ttl=1 negative_ttl=1 children=1 concurrency=0
%DST
> /var/tmp/acl_geoip.pl
> acl AclGeoIP
> external GeoIP
> cache_peer 10.160.48.250 sibling 8080 0 name=external_proxy
> cache_peer_access external_proxy allow AclGeoIP
> cache_peer_access external_proxy deny all
>
> /var/tmp/acl_geoip.pl is a dummy script that logs its input and returns
> "OK":
>
> #!/usr/bin/perl
> open FD, ">/tmp/test.$$";
> select FD;
> $|=1;
> select STDOUT;
> $|=1;
> print FD "Starting $0 with parameters: "..join(', ',@ARGV)."\n";
>
> while (<STDIN>) {
> print FD $_;
> print "OK\n";
> }
> close FD;
>
> I can see the "Starting xxx with parameters xxx" in the log file, but
> nothing else is written.
>
> This is what I get on the logs when visiting yahoo:
>
> 2009/10/26 16:08:10.776| FwdState::start() 'http://www.yahoo.com/'
> 2009/10/26 16:08:10.776| StoreEntry::lock: key
> '312257ED4F8C8AE02ABE51C413EC3927'
> count=2
> 2009/10/26
> 16:08:10.776| peerSelect: http://www.yahoo.com/
> 2009/10/26 16:08:10.776| StoreEntry::lock: key
> '312257ED4F8C8AE02ABE51C413EC3927' count=3
> 2009/10/26 16:08:10.776| peerSelectFoo: 'GET www.yahoo.com'
> 2009/10/26 16:08:10.776| peerCheckNetdbDirect: MY RTT = 0 msec
> 2009/10/26 16:08:10.776| peerCheckNetdbDirect: minimum_direct_rtt = 400
> msec
> 2009/10/26 16:08:10.776| peerCheckNetdbDirect: MY hops = 0
> 2009/10/26 16:08:10.776| peerCheckNetdbDirect: minimum_direct_hops = 4
> 2009/10/26 16:08:10.776| whichPeer: from 0.0.0.0 port 0
> 2009/10/26 16:08:10.776| peerSelectFoo: direct = DIRECT_MAYBE
> 2009/10/26 16:08:10.776| peerDigestLookup: peer 10..160.48.250
> 2009/10/26 16:08:10.776| aclCheckFast: list: 0xb81bc748
> 2009/10/26 16:08:10.776| ACLChecklist::preCheck: 0xbfa30b24 checking
> 'cache_peer_access external_proxy
> allow AclGeoIP'
> 2009/10/26 16:08:10.776| ACLList::matches: checking AclGeoIP
> 2009/10/26 16:08:10.776| ACL::checklistMatches: checking 'AclGeoIP'
> 2009/10/26 16:08:10.776| aclMatchExternal: GeoIP("www.yahoo.com") =
lookup
> needed
> 2009/10/26 16:08:10.776| aclMatchExternal: "www.yahoo.com": entry=@0,
age=0
> 2009/10/26 16:08:10.776| aclMatchExternal: "www.yahoo.com": queueing a
> call.
> 2009/10/26 16:08:10.776| aclMatchExternal: "www.yahoo.com": return -1.
> 2009/10/26 16:08:10.776| ACL::ChecklistMatches: result for 'AclGeoIP' is
-1
> 2009/10/26 16:08:10.776| ACLList::matches: result is false
> 2009/10/26 16:08:10.776|
> aclmatchAclList: 0xbfa30b24 returning false (AND list entry failed to
> match)
> 2009/10/26 16:08:10.776| aclmatchAclList: async=0 nodeMatched=0
> async_in_progress=0 lastACLResult() = 0 finished() = 0
> 2009/10/26 16:08:10.776| ACLChecklist::preCheck: 0xbfa30b24 checking
> 'cache_peer_access external_proxy deny all'
> 2009/10/26 16:08:10.776| ACLList::matches: checking all
> 2009/10/26 16:08:10.776| ACL::checklistMatches: checking 'all'
> 2009/10/26 16:08:10.776| aclMatchIp: '172.16.10.10' found
> 2009/10/26 16:08:10.776| ACL::ChecklistMatches: result for 'all' is 1
> 2009/10/26 16:08:10.776| ACLList::matches: result is true
>
> So the acl is evaluated, returns false, and the log file doesn't have
any
> output. How come?
Nope. The helpers is a "slow" category lookup being used in a "fast"
category access list. The helper is never called, just the existing results
cache tested to see if a result is known.
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs
To get this to work you need to use the ACL in a "slow" category access
list such as http_access first to get the result cached in Squid so it can
be retrieved without any delays by cache_peer_access.
Amos
