[squid-users] cache_peer_access and dst-style ACLs from Rude Yak on 2002-10-03 (squid-users)

From: Rude Yak <rudeyak@dont-contact.us>
Date: Thu, 3 Oct 2002 21:00:18 -0700 (PDT)

Can someone help me understand the guidelines about ACL checking and when it
takes place? Specifically, I am trying to force certain subnets to use a
certain proxy (or set of proxies). I have two squids that are fairly similarly
configured, both of which have the following

cache_peer p1 parent 8080 0 no-query no-digest no-netdb-exchange round-robin
connect-timeout=3
cache_peer p2 parent 8080 0 no-query no-digest no-netdb-exchange round-robin
connect-timeout=3
cache_peer p3 parent 8080 0 no-query no-digest no-netdb-exchange round-robin
connect-timeout=3

acl hosted-here dst 192.168.0.0/16

cache_peer_access p1 allow hosted-here
cache_peer_access p1 deny all

cache_peer_access p2 deny hosted-here
cache_peer_access p2 allow all
cache_peer_access p3 deny hosted-here
cache_peer_access p3 allow all

What's interesting is that one of my squids, a low-volume instance, processes
this correctly. A higher-volume squid does not: it only sends CONNECT requests
to p1, whereas it sends GETs to p2 and p3. I turned on

debug_options ALL,1 44,9 28,9

and saw something odd: in the one that does NOT work, I get messages like

aclCheckFast: list 24a8f0
aclMatchAcList: checking hosted-here
aclMatchAcl: checking 'acl hosted-here dst 192.168.0.0/16'
aclMatchAcl: Can't yet compare 'hosted-here' ACL for 'foo.bar.com'

In the case of the one that works, this block succeeds and returns 1. Am I
missing anything about the way ACLs are checked that would cause one copy of
squid to decide that it's too early to do a "dst" comparison? Looking through
the source, it seems to be somewhere in the "case ACL_DST_IP:" block of acl.c
but I can't quite decipher why checklist->state[ACL_DST_IP] is matching (or
exactly what it does :-). I've checked the IP cache and that seems to be
populated correctly. Any ideas or pointers on where to look next? The one
major config difference that I see is that the "working" squid has an
authenticator_program running (although it's not required for processing these
requests - it is used for a different set of ACLs).

Thanks in advance.

RudeYak.at.yahoo.com

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com
Received on Thu Oct 03 2002 - 22:00:19 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:35 MST