[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] External ACL doesn't used
From: Alexeyяр Gruzdov <my.shellac () gmail ! com>
Date: 2023-06-04 12:30:06
Message-ID: CAFqyDwD6A6hG5NJ-J=vOL8Wb8aeGTd_wSR0Kh+hVSx=yQTDKgQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello Amos!
Thank you very much for you explanation!
To be honest I didn't get really what this issue was. This was really
strange.
Because ttl option of my external acl is 10 sec ( I really need this value )
Also I tried restart my squid docker and server at whole - and this didn't
help. I saw in the log just silence of calling of my external helper ACL.
But this ext ACL helper must to call for each proxy request…..
Then I just to solved to restore from backup and got it working again. I
tend to think that it is possible to change the config - although it looks
doubtful….
Ok!
Thanks again !
On Sat, 3 Jun 2023 at 14:30, Amos Jeffries <squid3@treenet.co.nz> wrote:
> On 3/06/2023 3:14 am, Alexeyяр Gruzdov wrote:
> > So.ok. Looks like this is misconfig....
> > I just restore from backup and now works well
> >
>
> Great to hear. I will answer your question below anyway to help avoid
> future issues...
>
> > пт, 2 июн. 2023 г. в 18:05, Alexeyяр Gruzdov:
> >
> > Hello Guys!
> >
> > Could you explain me case when the external acl couldn't to be run
> > by squid.
> >
>
> There are three cases when an "external" type ACL has troubles:
>
> 1) when there are OS permission issues with the helper binary/script.
>
> This can show up as either Squid not being allowed to run the helper, or
> as the helper existing (maybe "crashing") when it tries to use forbidden
> resources.
>
> 2) when the ACL is being checked in a "fast" group (aka synchronous)
> access check
>
> The helper lookup is asynchronous, so does not work inn the synchronous
> checks. However there is a cache of previous helper checks which may
> have the result - so long as there is an identical previous lookup whose
> result has not yet reached its TTL, this cache can supply the answer. So
> external ACL can have the **appearance** of working in simple tests or
> some types of traffic.
>
> 3) when the ACL is used conditionally
>
> Squid helpers are only started as-needed. Immediately after startup
> there may be traffic that goes through which does not need to check the
> external ACL, so the helper does not get started for a while. Also, as
> mentioned above there is the helper cache, so at time there may also be
> traffic that gets answered by that instead of waiting on the helper
> lookup. At times both of these may be having an effect, for example
> after a helper crash/exit or reconfigure of Squid.
>
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
[Attachment #5 (text/html)]
<div dir="auto">Hello Amos!</div><div dir="auto"><br></div><div dir="auto">Thank you \
very much for you explanation!</div><div dir="auto"><br></div><div dir="auto">To be \
honest I didn't get really what this issue was. This was really strange.</div><div \
dir="auto"><br></div><div dir="auto">Because ttl option of my external acl is 10 sec \
( I really need this value )</div><div dir="auto"><br></div><div dir="auto">Also I \
tried restart my squid docker and server at whole - and this didn't help. I saw in \
the log just silence of calling of my external helper ACL. But this ext ACL helper \
must to call for each proxy request….. </div><div dir="auto"><br></div><div \
dir="auto"><br></div><div dir="auto">Then I just to solved to restore from backup and \
got it working again. I tend to think that it is possible to change the config - \
although it looks doubtful….</div><div dir="auto"><br></div><div \
dir="auto"><br></div><div dir="auto">Ok!</div><div dir="auto">Thanks again \
!</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 3 \
Jun 2023 at 14:30, Amos Jeffries <<a \
href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">On \
3/06/2023 3:14 am, Alexeyяр Gruzdov wrote:<br> > So.ok. Looks like this is \
misconfig....<br> > I just restore from backup and now works well<br>
><br>
<br>
Great to hear. I will answer your question below anyway to help avoid <br>
future issues...<br>
<br>
> пт, 2 июн. 2023 г. в 18:05, Alexeyяр Gruzdov:<br>
><br>
> Hello Guys!<br>
><br>
> Could you explain me case when the external acl couldn't to be \
run<br> > by squid.<br>
><br>
<br>
There are three cases when an "external" type ACL has troubles:<br>
<br>
1) when there are OS permission issues with the helper binary/script.<br>
<br>
This can show up as either Squid not being allowed to run the helper, or <br>
as the helper existing (maybe "crashing") when it tries to use forbidden \
<br> resources.<br>
<br>
2) when the ACL is being checked in a "fast" group (aka synchronous) <br>
access check<br>
<br>
The helper lookup is asynchronous, so does not work inn the synchronous <br>
checks. However there is a cache of previous helper checks which may <br>
have the result - so long as there is an identical previous lookup whose <br>
result has not yet reached its TTL, this cache can supply the answer. So <br>
external ACL can have the **appearance** of working in simple tests or <br>
some types of traffic.<br>
<br>
3) when the ACL is used conditionally<br>
<br>
Squid helpers are only started as-needed. Immediately after startup <br>
there may be traffic that goes through which does not need to check the <br>
external ACL, so the helper does not get started for a while. Also, as <br>
mentioned above there is the helper cache, so at time there may also be <br>
traffic that gets answered by that instead of waiting on the helper <br>
lookup. At times both of these may be having an effect, for example <br>
after a helper crash/exit or reconfigure of Squid.<br>
<br>
<br>
HTH<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" \
target="_blank">squid-users@lists.squid-cache.org</a><br> <a \
href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" \
target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br> \
</blockquote></div></div>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic