'Re: [squid-users] External ACL doesn't used'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] External ACL doesn't used
From:       Alexeyяр Gruzdov <my.shellac () gmail ! com>
Date:       2023-06-04 12:30:06
Message-ID: CAFqyDwD6A6hG5NJ-J=vOL8Wb8aeGTd_wSR0Kh+hVSx=yQTDKgQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello Amos!

Thank you very much for you explanation!

To be honest I didn't get really what this issue was. This was really
strange.

Because ttl option of my external acl is 10 sec ( I really need this value )

Also I tried restart my squid docker and server at whole - and this didn't
help. I saw in the log just silence of calling of my external helper ACL.
But this ext ACL helper must to call for each proxy request…..


Then I just to solved to restore from backup and got it working again. I
tend to think that it is possible to change the config - although it looks
doubtful….


Ok!
Thanks again !

On Sat, 3 Jun 2023 at 14:30, Amos Jeffries <squid3@treenet.co.nz> wrote:

> On 3/06/2023 3:14 am, Alexeyяр Gruzdov wrote:
> > So.ok. Looks like this is misconfig....
> > I just restore from backup and now works well
> >
>
> Great to hear. I will answer your question below anyway to help avoid
> future issues...
>
> > пт, 2 июн. 2023 г. в 18:05, Alexeyяр Gruzdov:
> >
> >     Hello Guys!
> >
> >     Could you explain me case when the external acl couldn't to be run
> >     by squid.
> >
>
> There are three cases when an "external" type ACL has troubles:
>
>   1) when there are OS permission issues with the helper binary/script.
>
> This can show up as either Squid not being allowed to run the helper, or
> as the helper existing (maybe "crashing") when it tries to use forbidden
> resources.
>
> 2) when the ACL is being checked in a "fast" group (aka synchronous)
> access check
>
> The helper lookup is asynchronous, so does not work inn the synchronous
> checks. However there is a cache of previous helper checks which may
> have the result - so long as there is an identical previous lookup whose
> result has not yet reached its TTL, this cache can supply the answer. So
> external ACL can have the **appearance** of working in simple tests or
> some types of traffic.
>
> 3) when the ACL is used conditionally
>
> Squid helpers are only started as-needed. Immediately after startup
> there may be traffic that goes through which does not need to check the
> external ACL, so the helper does not get started for a while. Also, as
> mentioned above there is the helper cache, so at time there may also be
> traffic that gets answered by that instead of waiting on the helper
> lookup. At times both of these may be having an effect, for example
> after a helper crash/exit or reconfigure of Squid.
>
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

[Attachment #5 (text/html)]

<div dir="auto">Hello Amos!</div><div dir="auto"><br></div><div dir="auto">Thank you \
very much for you explanation!</div><div dir="auto"><br></div><div dir="auto">To be  \
honest I didn't get really what this issue was. This was really strange.</div><div \
dir="auto"><br></div><div dir="auto">Because ttl option of my external acl is 10 sec \
( I really need this value )</div><div dir="auto"><br></div><div dir="auto">Also I \
tried restart my squid docker and server at whole - and this didn't help. I saw in \
the log just silence of calling of my external helper ACL. But this ext ACL helper \
must to call for each proxy request…..  </div><div dir="auto"><br></div><div \
dir="auto"><br></div><div dir="auto">Then I just to solved to restore from backup and \
got it working again. I tend to think that it is possible to change the config - \
although it looks doubtful….</div><div dir="auto"><br></div><div \
dir="auto"><br></div><div dir="auto">Ok!</div><div dir="auto">Thanks again \
!</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 3 \
Jun 2023 at 14:30, Amos Jeffries &lt;<a \
href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">On \
3/06/2023 3:14 am, Alexeyяр Gruzdov wrote:<br> &gt; So.ok. Looks like this is \
misconfig....<br> &gt; I just restore from backup and now works well<br>
&gt;<br>
<br>
Great to hear. I will answer your question below anyway to help avoid <br>
future issues...<br>
<br>
&gt; пт, 2 июн. 2023 г. в 18:05, Alexeyяр Gruzdov:<br>
&gt;<br>
&gt;        Hello Guys!<br>
&gt;<br>
&gt;        Could you explain  me case when  the external acl couldn&#39;t to be \
run<br> &gt;        by squid.<br>
&gt;<br>
<br>
There are three cases when an &quot;external&quot; type ACL has troubles:<br>
<br>
    1) when there are OS permission issues with the helper binary/script.<br>
<br>
This can show up as either Squid not being allowed to run the helper, or <br>
as the helper existing (maybe &quot;crashing&quot;) when it tries to use forbidden \
<br> resources.<br>
<br>
2) when the ACL is being checked in a &quot;fast&quot; group (aka synchronous) <br>
access check<br>
<br>
The helper lookup is asynchronous, so does not work inn the synchronous <br>
checks. However there is a cache of previous helper checks which may <br>
have the result - so long as there is an identical previous lookup whose <br>
result has not yet reached its TTL, this cache can supply the answer. So <br>
external ACL can have the **appearance** of working in simple tests or <br>
some types of traffic.<br>
<br>
3) when the ACL is used conditionally<br>
<br>
Squid helpers are only started as-needed. Immediately after startup <br>
there may be traffic that goes through which does not need to check the <br>
external ACL, so the helper does not get started for a while. Also, as <br>
mentioned above there is the helper cache, so at time there may also be <br>
traffic that gets answered by that instead of waiting on the helper <br>
lookup. At times both of these may be having an effect, for example <br>
after a helper crash/exit or reconfigure of Squid.<br>
<br>
<br>
HTH<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" \
target="_blank">squid-users@lists.squid-cache.org</a><br> <a \
href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" \
target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br> \
</blockquote></div></div>



_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic