On 6/09/2013 11:17 p.m., Nikolai Gorchilov wrote:
OK. Here's the relevant section in my squid config in case you need it:
===[cut]===
# vcache peer setup
cache_peer 127.0.0.1 parent 8088 9999 proxy-only no-digest name=vcache
acl vcache url_regex -i "/z/vcache/etc/squid3/vcache.acl"
cache_peer_access vcache allow vcache
cache_peer_access vcache deny all
# externel routing helper
external_acl_type router children-max=20 children-startup=1
children-idle=1 concurrency=10000 %METHOD %URI %PROTO
/z/vcache/bin/router.js
# returns either:
# <channel> ERR
# <channel> OK tag=peer-miss
# <channel> OK tag=peer-hit
# force direct in case of ERR
acl 2peer external router
always_direct allow !2peer
# TOS marking based on routing helper response. Checking for the
effect with: tcpdump -i eth0 -v -n ip and ip[1]=0x10
acl peering tag peer-hit # doesn't work with this acl in Squid 3.3.8
#acl peering src 10.211.55.2 # TOS marking works as expected with this acl
clientside_tos 0x10 peering
clientside_tos 0x00 !peering
===[cut]===
Hope this helps!
It does indeed. You are not checking the external_acl_type helper early
enough in the request processing sequence.
clientside_tos directive is processed and TOS selected before the
request upstream destination is selected.
always_direct is part of that upstream destination selectino processing
which follows.
You can test it in http_access like this before allowing traffic:
http_access deny router !all
this runs the helper lookup but !all is an impossible match and prevents
the deny action happening.
Alternatively, you can just stick 'router' ACL test on the end of your
allow http_access lines.
Or, contribute a code change making clientside_tos matching a
slow/non-blocking access check. There appears to be no reason for it to
be fast-group in the current releases.
Amos