On 24/04/17 14:12, squid-users wrote:
Hi Squid users,
I'm having some trouble understanding Squid's peer selection algorithms, in
a configuration where multiple cache_peer lines reference the same host.
The background to this is that we wish to present cache service using
multiple accounts at an upstream provider, with account selection taking
place based on the local TCP port (8080, 8181, 8282) the request arrived on.
First we define the cache peers:
cache_peer proxy.myisp.net parent 8080 0 login=staffuser:abc123 no-query
no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
name=Staff
cache_peer proxy.myisp.net parent 8080 0 login=guestuser:abc123 no-query
no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
name=Guest
cache_peer proxy.myisp.net parent 8080 0 login=PASS no-query no-digest
no-netdb-exchange connect-timeout=1 connect-fail-limit=2 name=Student
Then lock access down:
acl localport_Staff localport 8282
acl localport_Guest localport 8181
acl localport_Student localport 8080
localport is taken from the TCP connection arriving into Squid. It may
be different to the Squid listening port.
So what are your http(s)_port lines ?
cache_peer_access Staff allow localport_Staff !localport_Guest
!localport_Student
cache_peer_access Guest allow localport_Guest !localport_Staff
!localport_Student
cache_peer_access Student allow localport_Student !localport_Guest
!localport_Staff
You do not need these !blah pieces. No single TCP connection can have
multiple destination ports. So when one of your ACLs matches the others
cannot be matches.
To reproduce the error, first a connection is made with wget to tcp port
8282:
http_proxy=http://10.159.192.24:8282/ wget www.monash.edu --delete-after
Squid selects the Staff profile as expected:
1492999376.993 811 10.159.192.26 TCP_MISS/200 780195 GET
http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
"Wget/1.12 (linux-gnu)"
Then another connection is made, this time to port 8080:
http_proxy=http://10.159.192.24:8080/ wget www.monash.edu --delete-after
But instead of the desired Student profile being selected, the Staff profile
is still used instead:
1492999405.953 338 10.159.192.26 TCP_MISS/200 780195 GET
http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
"Wget/1.12 (linux-gnu)"
I had a look in the cache.log with debug_options 44,6 enabled. None of the
messages reference the contents of the name= parameter in the cache_peer
lines; only hostnames and IP addresses are mentioned. I suspect that the
peer selection algorithms have changed since Squid 3.1, whereby peers are
now selected based on hostname (or IP address) rather than the name defined
in the cache_peer line. Is this correct?
No the peer selection still works based on the name. But that name now
gets translated to a list of IP:port destinations that can be tried by
the forwarding logic.
I think what you are seeing is the side effect of the peers all having
the same IP:port details versus HTTP persistent connections. When the
forwarding logic looks for an open persistent connection for the Student
IP:port it might get handed the existing Staff connection - since they
both have the same IP:port they are the same server as far as HTTP is
concerned.
You could try turning persistence to servers off
<http://www.squid-cache.org/Doc/config/server_persistent_connections/>
... or using a different port for each of the cache_peer lines and
NAPT'ing them on the outgoing TCP connections back to what the upstream
peer actually uses.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
