Search squid archive

RE: cache_peer_access directive problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Amos, thanks a lot for the informations.

If I understand correctly:

1 - Or I choose "round-robin" or "sourcehash". Both doesn't make sense, right ?
Actually my problem is that I have 3 routing possible (2 with balancing):

    cache_peer host11.domain.com parent 8084 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
    cache_peer host12.domain.com parent 8084 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3

    cache_peer host21.domain.com parent 9090 0 proxy-only no-query

    cache_peer host31.domain.com parent 8080 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
    cache_peer host32.domain.com parent 8080 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3

My scope is to have lot of different small conf files with the allow rule and the indication of which of the 3 alternatives use (cache_peer_access).
Is reasonable what I've done (deny all the routes in squid.conf and just enable the interesting peer on each include file) ?

2 - Is impossible to have a routing policy like "cache_peer_access" is I need some acl based on IP destination. Is there some other possibilities to do that ? ... actually 99% of my ACL use dstdomain or regex but for some special needs I need to configure also URL like http://IPADDRESS/ and I'd like to have the possibility to choose the right peer.

Kind regards,
Daniel Hubeli

P.S. Sorry for "top-posting" (OWA:))


On 5/07/2013 10:00 p.m., Hubeli Daniel wrote:
> Hi all, I'm writing for a small problem.

You have two problems actually...

>
> I have a squid instance (3.3.6) with differents parents:
>      cache_peer host11.domain.com parent 8084 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
>      cache_peer host12.domain.com parent 8084 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
>      cache_peer host21.domain.com parent 9090 0 proxy-only no-query
>      cache_peer host31.domain.com parent 8080 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
>      cache_peer host32.domain.com parent 8080 0 proxy-only no-query sourcehash round-robin connect-timeout=10 connect-fail-limit=3
>

Problem #1 - the above peers are in _two_ groups using *three* selection
types.

Squid will currently select only one peer using a fancy selection
algorithm (either sourcehash OR round-robin) - sourcehash is more
specific and will be used, the round-robin will never even be checked.
Followed by "First-Up" algorithm (all peers get tried in config file
order - first one to work wins). Followed by the default peer (first on
the configured list or marked with "default" option). No peer is listed
twice in the order of attempts. cache_peer_access purpose is to quickly
eliminate peers from selection up front.

You can see the selection algorithm choices in cache.log with
"debug_options 44,2".


Problem #2 is what you noticed ...

> To route the requests to the right parent and to make acls I include external files (include .......file1.conf).
>
> After all the inclusion and some other general settings (squid.conf) I close access to peers:
>      cache_peer_access  host11.domain.com parent deny all
>      cache_peer_access  host12.domain.com parent deny all
>      cache_peer_access  host21.domain.com parent deny all
>      cache_peer_access  host31.domain.com parent deny all
>      cache_peer_access  host32.domain.com parent deny all
>
> The includes files look like (just the allow part):
>      http_access allow srcservers1 todomains1
>      http_access allow srcservers2 todomains2
>      cache_peer_access host11.domain.com allow todomains1
>      cache_peer_access host12.domain.com allow todomains2
>      cache_peer_access host11.domain.com allow todomains1
>      cache_peer_access host12.domain.com allow todomains2
>
> In general this solution work great but I've just found out that some rules doesn't work.

That would be all the ACL types marked "slow" in this list, yes?
   http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs

> By debugging a little bit I've discovered the the problem is an include file (as the one just described) that use destination acls with IPs:
>
> if todomains1 is something like "acl todomains1 dstdomain www.sample.com" the "cache_peer_access host11.domain.com allow todomains1" works correctly
> if todomains1 is something like "acl toibmhmc dst 99.99.99.99" the "cache_peer_access host11.domain.com allow todomains1" doesn't work and all the directives of cache_peer_access that follows doesn't working.
>
> Has someone any idea ?

cache_peer_access is a "fast" type access control check.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux