Re: How to trick splay trees?

[Eliezer Croitoru <eliezer@xxxxxxxxxxxx>]

On 7/31/2012 12:50 PM, Jannis Kafkoulas wrote:
> Thanks for the quick answer!
>
> Now I see that I didn't express myself precisely enough :-(
>
> "to also go via  cache_peer par-alt." wasn't meant as an alternative (either or) but as "as well as the domain ".fa-intracomp.net" :-)
>
> in other words, abc.intracomp.com should be directed only to par-alt.
>
> ...
>
> thanks
so it's pretty simple..
as the acls goes for first "HITS" there is nothing to trick the splay 
trees but just use a more explicit ACLS with a "deny" one first.

##start
acl alt dstdomain .fa-intracomp.net
acl std dstdomain .intracomp.com
acl alt-2 dstdom_regex -i abc.intracomp.com

cache_peer 192.10.10.22    parent    3128    0     no-query login=PASS 
proxy-only no-digest name=par-std
cache_peer 192.10.10.22    parent    80    0     no-query login=PASS 
proxy-only no-digest name=par-alt
#first use an explicit dney for the abc...
# so first this domain will not pass using this proxy
# then allow the other proxy.
# and it's recommended to separate the acls for the two proxies.
cache_peer_access  par-std deny alt-2
cache_peer_access  par-alt  allow alt-2
cache_peer_access  par-alt  allow alt
cache_peer_access  par-std  allow std
##end

i would put it in my squid.conf in another order for it t be more 
understandable for the human eye\mind to match the algorithm that squid 
uses for acls.

##start

#acls part with notes about purpose of each acl if neede.
acl alt dstdomain .fa-intracomp.net
acl std dstdomain .intracomp.com
acl alt-2 dstdom_regex -i abc.intracomp.com


#cache peers part:

#cache peer 1
cache_peer 192.10.10.22    parent    3128    0     no-query login=PASS 
proxy-only no-digest name=par-std

#cache peer 1 acls
cache_peer_access  par-std deny alt-2
cache_peer_access  par-std  allow std
#....


#cache peer 2
cache_peer 192.10.10.22    parent    80    0     no-query login=PASS 
proxy-only no-digest name=par-alt

#cache peer 2 acls
cache_peer_access  par-alt  allow alt-2
cache_peer_access  par-alt  allow alt

##end

so you do know which proxy will match first explictly
you will have the acls ordered per cache_peer and there for you see 
better how squid will approach to the cache_peers.

Regards,
Eliezer


> --- El Lun 30/7/12, Amos Jeffries <squid3@xxxxxxxxxxxxx> escribió:
>
> > De: Amos Jeffries <squid3@xxxxxxxxxxxxx>
> > Asunto: Re:  How to trick splay trees?
> > Para: squid-users@xxxxxxxxxxxxxxx
> > Fecha: Lunes 30 de Julio de 2012 15:25
> > On 31/07/2012 1:25 a.m., Jannis
> > Kafkoulas wrote:
> > > Hi,
> > >
> > > (I use squid 2.7. STABLE9 on RedHat EL 5.6)
> > >
> > > Following problem:
> > >
> > > I have following dstdomains defined
> > > going to par-std and par-alt  cache_peers
> > respectively:
> > > acl alt dstdomain .fa-intracomp.net
> > > acl std dstdomain .intracomp.com
> > >
> > > Now I'd like  "abc.intracomp.com"  to also go
> > via  cache_peer par-alt.
> > > Following two tries didn't work:
> > >
> > > # acl alt-2 dstdom_regex -i abc.intracomp.com
> > > # acl alt dstdomain abc.intracomp.com
> >
> > The dstdomain one is faster. Both are correct for your
> > requested policy.
> > The key word you stated being "also" ...
> >
> > > The requests were sent to par-std cache_peer
> > >
> > > cache_peer 192.10.10.22    parent
> >    3128    0     no-query
> > login=PASS proxy-only no-digest name=par-std
> > > cache_peer 192.10.10.22    parent
> >    80    0     no-query
> > login=PASS proxy-only no-digest name=par-alt
> > > cache_peer_access  par-alt  allow alt-2
> > > cache_peer_access  par-alt  allow alt
> > > cache_peer_access  par-std  allow std
> > >
> > >
> > > Is there a way for that to work at all?
> >
> > Unless given some specific selection algorithm (digest, ICP,
> > hshes,
> > carp, roundrobin etc) Squid lists peers in configuration
> > order when
> > attemping to pass traffic.
> >
> > As I said above the key word in your policy statements is
> > "also" - with
> > both peers *available* for use Squid will pick the first one
> > that works.
> > With par-std being listed first your logs will show it being
> > used until
> > such time as it becomes unresponsive or overloaded. Then
> > par-alt will
> > pick up the slack for that one domain.
> >
> > I think you are looking at the logs and seeing only par-std,
> > thinking
> > its not working when actually it is. You can test by
> > changing the order
> > of cache_peer definitions in your config and seeing the
> > preferred peer
> > switch to the par-alt when the new ACL is added.
> >
> > NOTE: you canot send a request via *both* using TCP unicast
> > links, just one.
> >
> > Amos


--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il