-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14/12/2014 5:49 p.m., dkovacevic wrote: > I have an external_acl_type directive which returns "OK" or "ERR" > depending on a database query. Ok. > > The problem is this: when the database is updated, which should > permit the site to be accessed, Ok. > Squid has the previous response cached, Irrelevant. ACL managing *access* to an object does not matter where it comes from, the only thing that matters is whether access is allowed/denied. > the result being continued "access denied" responses until either > Squid is restarted or the result expires (where?). generated != cached. "Access denied" object is being generated by Squid. Results *generated* by Squid are not cached by Squid. > > I attempted to clear the cache by using PURGE request via > squidclient, which is successful in clearing the cache, but not the > result decision (TCP-DENIED). After running the PURGE, doing a > refresh in browser causes another lookup in Squid- but Squid then > returns "access-denied" (no database query). > > What do I need to do to force Squid to check the ACL after a > browser refresh? You seem to be mistaking what is cached. 1) The DB has an internal cache of query/response, the DB lookup result from the helepr may becoming from there. SQL/relational databases ACID compliance prevents this cache interferring if the DB has been updated, but if you are using a NoSQL database or distributed cluster DB it can affect things quite badly. 2) Some helpers have internal caches to quickly respond to queries. external ACL helpers not so much becasue of #3, but this is a possibility. 3) Squid has a cache for each helpers responses. Such that if you send the same query twice the repeats get serviced quickly from the helper cache. This is controlled by the various ttl=, negative_ttl= and cache= options of external_acl_type directive. http://www.squid-cache.org/Doc/config/external_acl_type/ 4) Squid has an HTTP object cache for *external* server produced objects in the HTTP traffic. - PURGE is an HTTP method, it only affects this cache. I think #3 is what you are having trouble with. The default is 60 minutes caching for helper responses. So there will be a 1 hour delay between updating the DB and any change visible in Squid HTTP responses. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUjSBKAAoJELJo5wb/XPRj6UAH/2x7iTYM6gx1+kQ0YJmh1vsF ckebcQVXHpb8ww2G+LmH0D7LVCz4OlsdxXEYM5lVHxoIa6BNBnlvXONGk3Y/8l78 yLBEHdj1lktAigpleU2TI+4tVVKFdRWBEqQF0ICzxFVsmH4GKWgT+I0EJ6b/bsAO VExbR0bKd1mqXWG08yEpcXlrLug8eVMTo8qsn8eyCVsRpjKhW1fp2g2i+TncwLqy eg2HqTEQBnCkkjIA2dwzQkSFhRKiEpa1xcwF6+6pDSY82nU/MvCPG+MYLRBaH8FL BopNwjKQyMiLK5QxOFK5z2FCKIUseFGtvjioctBATESFdX1LYqZWG408mJg248U= =Me+/ -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
