Re: [squid-users] icap_access and external_acl does not work

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 14 Oct 2004 18:20:07 +0200 (CEST)

On Thu, 14 Oct 2004, Christoph Haas wrote:

> Yay, godlike! I never would have thought there would be a workaround for
> this one. But in fact it works like a charm. This should perhaps become
> an FAQ item (if the FAQ is still maintained).

The FAQ is maintained, but very much relies on users submitting
additions/changes. The developers are all buzy maintaining the Squid
sources for you.

> Am I right that your solution makes Squid do the external_acl lookup and
> store that information in the cache where other ACLs can read from?

Yes, depending on the ttl.

> It sounds like icap_access can handle both the mysterious "fast ACLs"
> and the internal external_acl cache - but not the "slow external ACLs".
> Right?

No, icap_access can only handle fast ACL lookups where all needed
information is priorly known.

external acls where the lookup has completed and is fresh (ttl not
expired) is included in this category. The same also applies to any other
ACL type requiring external lookups (I..e DNS dependent acls such as dst /
dstdomain / srcdomain)

The workaround is not 100% reliable. There is a small window where the ttl
of the information the acl depends on may expire between http_access and
icap_access (or whatever other "only fast acls" directive). But with
properly selected ttls, and graceful fallbacks if the acl lookup fails
then this shouldn't be much of an issue.

Regards
Henrik
Received on Thu Oct 14 2004 - 10:20:17 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST