On 6/09/2013 11:17 p.m., Nikolai Gorchilov wrote:
> OK. Here's the relevant section in my squid config in case you need it:
>
> ===[cut]===
> # vcache peer setup
> cache_peer 127.0.0.1 parent 8088 9999 proxy-only no-digest name=vcache
> acl vcache url_regex -i "/z/vcache/etc/squid3/vcache.acl"
> cache_peer_access vcache allow vcache
> cache_peer_access vcache deny all
>
> # externel routing helper
> external_acl_type router children-max=20 children-startup=1
> children-idle=1 concurrency=10000 %METHOD %URI %PROTO
> /z/vcache/bin/router.js
> # returns either:
> # <channel> ERR
> # <channel> OK tag=peer-miss
> # <channel> OK tag=peer-hit
>
> # force direct in case of ERR
> acl 2peer external router
> always_direct allow !2peer
>
> # TOS marking based on routing helper response. Checking for the
> effect with: tcpdump -i eth0 -v -n ip and ip[1]=0x10
> acl peering tag peer-hit # doesn't work with this acl in Squid 3.3.8
> #acl peering src 10.211.55.2 # TOS marking works as expected with this acl
> clientside_tos 0x10 peering
> clientside_tos 0x00 !peering
> ===[cut]===
>
> Hope this helps!
It does indeed. You are not checking the external_acl_type helper early
enough in the request processing sequence.
clientside_tos directive is processed and TOS selected before the
request upstream destination is selected.
always_direct is part of that upstream destination selectino processing
which follows.
You can test it in http_access like this before allowing traffic:
http_access deny router !all
this runs the helper lookup but !all is an impossible match and prevents
the deny action happening.
Alternatively, you can just stick 'router' ACL test on the end of your
allow http_access lines.
Or, contribute a code change making clientside_tos matching a
slow/non-blocking access check. There appears to be no reason for it to
be fast-group in the current releases.
Amos
Received on Fri Sep 06 2013 - 11:38:44 MDT
This archive was generated by hypermail 2.2.0 : Sat Sep 07 2013 - 12:00:03 MDT