Hi All, before posting I should have read documentation completely. I set both ttl and negative_ttl to zero, and it is working fine. thanks, Sreenath On 1/22/16, Sreenath BH <bhsreenath@xxxxxxxxx> wrote: > Hi > > I am using an external helper for authentication. I have just one > http_access in squid.conf that refers to this external helper. > > I also have a url rewriter to which I pass some information using "tag" > key. > I observed that the acl is not invoked in several cases, just calling > the url rewriter. > > Squid sometimes seems to skip acl phase and directly proceeds to url > rewriter. > > Are there cases when squid proceedss without performing external acl? > Please see log lines below: > > ------------------ > 2016/01/22 14:46:52.091 kid1| 23,3| url.cc(357) urlParse: urlParse: > Split URL 'http://localhost:3000/file/download?key=XXXYYY' into > proto='http', host='localhost', port='3000', > path='/file/download?key=XXXYYY' > 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable: > GetFirstAvailable: Running servers 1 > 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1309) helperDispatch: > helperDispatch: Request sent to jio_helper #Hlpr4, 26 bytes > 2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(386) helperSubmit: > buf[26]=/file/download?key=XXXYYY > > 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(866) helperHandleRead: > helperHandleRead: 18 bytes from jio_helper #Hlpr4 > 2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(875) helperHandleRead: > accumulated[18]=OK tag=something4 > > 2016/01/22 14:46:52.091 kid1| 84,3| helper.cc(892) helperHandleRead: > helperHandleRead: end of reply found > 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(29) parse: Parsing helper > buffer > 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(48) parse: Buff length is > larger than 2 > 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK > 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable: > GetFirstAvailable: Running servers 1 > 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch: > helperDispatch: Request sent to redirector #Hlpr2, 58 bytes > 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit: > buf[58]=http://localhost:3000/file/download?key=XXXYYY something4 > > 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable: > GetFirstAvailable: Running servers 1 > *** http://localhost:3000/file/download?key=XXXYYY something4 > 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead: > helperHandleRead: 28 bytes from redirector #Hlpr2 > 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead: > accumulated[28]=OK rewrite-url="something4" > > 2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead: > helperHandleRead: end of reply found > 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper > buffer > 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is > larger than 2 > 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK > 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable: > GetFirstAvailable: Running servers 1 > 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch: > helperDispatch: Request sent to redirector #Hlpr2, 58 bytes > 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit: > buf[58]=http://localhost:3000/file/download?key=XXXYYY something4 > > 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable: > GetFirstAvailable: Running servers 1 > > 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead: > helperHandleRead: 28 bytes from redirector #Hlpr2 > 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead: > accumulated[28]=OK rewrite-url="something4" > > 2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead: > helperHandleRead: end of reply found > 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper > buffer > 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is > larger than 2 > 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(52) parse: helper Result = OK > 2016/01/22 14:46:52.092 kid1| ERROR: URL-rewrite produces invalid > request: GET something4 HTTP/1.1 > 2016/01/22 14:46:52.092 kid1| 11,5| HttpRequest.cc(474) detailError: > current error details: 6/0 > 2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1391) > sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35075 FD > 9 flags=1 > 2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1392) > sendStartOfMessage: HTTP Client REPLY: > --------- > HTTP/1.1 500 Internal Server Error^M > Server: squid/3.5.13^M > Mime-Version: 1.0^M > Date: Fri, 22 Jan 2016 14:46:52 GMT^M > Content-Type: text/html;charset=utf-8^M > Content-Length: 3889^M > X-Squid-Error: ERR_CANNOT_FORWARD 0^M > Vary: Accept-Language^M > Content-Language: en^M > X-Cache: MISS from TEJ-DL-CS-SERVER04^M > Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M > Connection: keep-alive^M > ^M > > ---------- > 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable: > GetFirstAvailable: Running servers 1 > 2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2345) > parseHttpRequest: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD 9 > flags=1 > 2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2346) > parseHttpRequest: HTTP Client REQUEST: > --------- > GET /file/download?key=XXXYYY HTTP/1.1^M > User-Agent: curl/7.37.1^M > Host: localhost:3000^M > Accept: */*^M > ^M > > ---------- > 2016/01/22 14:47:13.103 kid1| 23,3| url.cc(357) urlParse: urlParse: > Split URL 'http://localhost:3000/file/download?key=XXXYYY' into > proto='http', host='localhost', port='3000', > path='/file/download?key=XXXYYY' > 2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1167) GetFirstAvailable: > GetFirstAvailable: Running servers 1 > 2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1309) helperDispatch: > helperDispatch: Request sent to redirector #Hlpr2, 58 bytes > 2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(386) helperSubmit: > buf[58]=http://localhost:3000/file/download?key=XXXYYY something4 > > *** http://localhost:3000/file/download?key=XXXYYY something4 > 2016/01/22 14:47:13.104 kid1| 84,5| helper.cc(866) helperHandleRead: > helperHandleRead: 28 bytes from redirector #Hlpr2 > 2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(875) helperHandleRead: > accumulated[28]=OK rewrite-url="something4" > > 2016/01/22 14:47:13.104 kid1| 84,3| helper.cc(892) helperHandleRead: > helperHandleRead: end of reply found > 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(29) parse: Parsing helper > buffer > 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(48) parse: Buff length is > larger than 2 > 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(52) parse: helper Result = OK > 2016/01/22 14:47:13.104 kid1| ERROR: URL-rewrite produces invalid > request: GET something4 HTTP/1.1 > 2016/01/22 14:47:13.104 kid1| 11,5| HttpRequest.cc(474) detailError: > current error details: 6/0 > 2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1391) > sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD > 9 flags=1 > 2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1392) > sendStartOfMessage: HTTP Client REPLY: > --------- > HTTP/1.1 500 Internal Server Error^M > Server: squid/3.5.13^M > Mime-Version: 1.0^M > Date: Fri, 22 Jan 2016 14:47:13 GMT^M > Content-Type: text/html;charset=utf-8^M > Content-Length: 3889^M > X-Squid-Error: ERR_CANNOT_FORWARD 0^M > Vary: Accept-Language^M > Content-Language: en^M > X-Cache: MISS from TEJ-DL-CS-SERVER04^M > Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M > Connection: keep-alive^M > ^M > ---------------------------------- > > Here is Squid.conf > > debug_options ALL,1 31,10 23,10 84,10 11,10,44 > redirect_rewrites_host_header off > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly > plugged) machines > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > # > # Recommended minimum Access Permission configuration: > # > # Deny requests to certain unsafe ports > ###http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports > ###http_access deny CONNECT !SSL_ports > > # Only allow cachemgr access from localhost > ## http_access allow localhost manager > ## http_access deny manager > > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > #http_access deny to_localhost > > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > > external_acl_type jio_helper children-max=1 %PATH /usr/local/bin/acl > acl AclName external jio_helper > http_access allow AclName > > #http_access allow localnet > #http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > # Squid normally listens to port 3128 > http_port 3000 accel defaultsite=mysite.com vhost > > url_rewrite_program /usr/local/bin/rewrite > url_rewrite_extras "%et" > > # Uncomment and adjust the following to add a disk cache directory. > #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 > > # Leave coredumps in the first cache dir > coredump_dir /usr/local/squid/var/cache/squid > > # > # Add any of your own refresh_pattern entries above these. > # > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > -------------- > > As can be seen above, the first time a request was sent, the external > ACL helper was called, and then the url rewrite was called. When the > same request was repeated, squid skipped the acl helper, and proceeded > with URL rewriter. > > If the acl helpers have exited, does squid stop processing requests? > > Also, does setting the "tag" or clt_conn_tag have any effect on the > processing of requests by squid? > > thanks, > Sreenath > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
