Hi I am using an external helper for authentication. I have just one http_access in squid.conf that refers to this external helper. I also have a url rewriter to which I pass some information using "tag" key. I observed that the acl is not invoked in several cases, just calling the url rewriter. Squid sometimes seems to skip acl phase and directly proceeds to url rewriter. Are there cases when squid proceedss without performing external acl? Please see log lines below: ------------------ 2016/01/22 14:46:52.091 kid1| 23,3| url.cc(357) urlParse: urlParse: Split URL 'http://localhost:3000/file/download?key=XXXYYY' into proto='http', host='localhost', port='3000', path='/file/download?key=XXXYYY' 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 1 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1309) helperDispatch: helperDispatch: Request sent to jio_helper #Hlpr4, 26 bytes 2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(386) helperSubmit: buf[26]=/file/download?key=XXXYYY 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(866) helperHandleRead: helperHandleRead: 18 bytes from jio_helper #Hlpr4 2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(875) helperHandleRead: accumulated[18]=OK tag=something4 2016/01/22 14:46:52.091 kid1| 84,3| helper.cc(892) helperHandleRead: helperHandleRead: end of reply found 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(48) parse: Buff length is larger than 2 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 1 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch: helperDispatch: Request sent to redirector #Hlpr2, 58 bytes 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit: buf[58]=http://localhost:3000/file/download?key=XXXYYY something4 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 1 *** http://localhost:3000/file/download?key=XXXYYY something4 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead: helperHandleRead: 28 bytes from redirector #Hlpr2 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead: accumulated[28]=OK rewrite-url="something4" 2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead: helperHandleRead: end of reply found 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is larger than 2 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 1 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch: helperDispatch: Request sent to redirector #Hlpr2, 58 bytes 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit: buf[58]=http://localhost:3000/file/download?key=XXXYYY something4 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 1 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead: helperHandleRead: 28 bytes from redirector #Hlpr2 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead: accumulated[28]=OK rewrite-url="something4" 2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead: helperHandleRead: end of reply found 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is larger than 2 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(52) parse: helper Result = OK 2016/01/22 14:46:52.092 kid1| ERROR: URL-rewrite produces invalid request: GET something4 HTTP/1.1 2016/01/22 14:46:52.092 kid1| 11,5| HttpRequest.cc(474) detailError: current error details: 6/0 2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1391) sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35075 FD 9 flags=1 2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1392) sendStartOfMessage: HTTP Client REPLY: --------- HTTP/1.1 500 Internal Server Error^M Server: squid/3.5.13^M Mime-Version: 1.0^M Date: Fri, 22 Jan 2016 14:46:52 GMT^M Content-Type: text/html;charset=utf-8^M Content-Length: 3889^M X-Squid-Error: ERR_CANNOT_FORWARD 0^M Vary: Accept-Language^M Content-Language: en^M X-Cache: MISS from TEJ-DL-CS-SERVER04^M Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M Connection: keep-alive^M ^M ---------- 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 1 2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2345) parseHttpRequest: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD 9 flags=1 2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2346) parseHttpRequest: HTTP Client REQUEST: --------- GET /file/download?key=XXXYYY HTTP/1.1^M User-Agent: curl/7.37.1^M Host: localhost:3000^M Accept: */*^M ^M ---------- 2016/01/22 14:47:13.103 kid1| 23,3| url.cc(357) urlParse: urlParse: Split URL 'http://localhost:3000/file/download?key=XXXYYY' into proto='http', host='localhost', port='3000', path='/file/download?key=XXXYYY' 2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 1 2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1309) helperDispatch: helperDispatch: Request sent to redirector #Hlpr2, 58 bytes 2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(386) helperSubmit: buf[58]=http://localhost:3000/file/download?key=XXXYYY something4 *** http://localhost:3000/file/download?key=XXXYYY something4 2016/01/22 14:47:13.104 kid1| 84,5| helper.cc(866) helperHandleRead: helperHandleRead: 28 bytes from redirector #Hlpr2 2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(875) helperHandleRead: accumulated[28]=OK rewrite-url="something4" 2016/01/22 14:47:13.104 kid1| 84,3| helper.cc(892) helperHandleRead: helperHandleRead: end of reply found 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(48) parse: Buff length is larger than 2 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(52) parse: helper Result = OK 2016/01/22 14:47:13.104 kid1| ERROR: URL-rewrite produces invalid request: GET something4 HTTP/1.1 2016/01/22 14:47:13.104 kid1| 11,5| HttpRequest.cc(474) detailError: current error details: 6/0 2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1391) sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD 9 flags=1 2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1392) sendStartOfMessage: HTTP Client REPLY: --------- HTTP/1.1 500 Internal Server Error^M Server: squid/3.5.13^M Mime-Version: 1.0^M Date: Fri, 22 Jan 2016 14:47:13 GMT^M Content-Type: text/html;charset=utf-8^M Content-Length: 3889^M X-Squid-Error: ERR_CANNOT_FORWARD 0^M Vary: Accept-Language^M Content-Language: en^M X-Cache: MISS from TEJ-DL-CS-SERVER04^M Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M Connection: keep-alive^M ^M ---------------------------------- Here is Squid.conf debug_options ALL,1 31,10 23,10 84,10 11,10,44 redirect_rewrites_host_header off acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports ###http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports ###http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost ## http_access allow localhost manager ## http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed external_acl_type jio_helper children-max=1 %PATH /usr/local/bin/acl acl AclName external jio_helper http_access allow AclName #http_access allow localnet #http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3000 accel defaultsite=mysite.com vhost url_rewrite_program /usr/local/bin/rewrite url_rewrite_extras "%et" # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /usr/local/squid/var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 -------------- As can be seen above, the first time a request was sent, the external ACL helper was called, and then the url rewrite was called. When the same request was repeated, squid skipped the acl helper, and proceeded with URL rewriter. If the acl helpers have exited, does squid stop processing requests? Also, does setting the "tag" or clt_conn_tag have any effect on the processing of requests by squid? thanks, Sreenath _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
