Hi folks,

Is there any way to tell squid to cache all requests for a page, except for any pages that are requested by a user with a certain cookie?

I am using Squid 2.6, stable 17. I am trying to set up a reverse proxy to accelerate a client's website. After reading the conf file and the ReverseProxy faq page, I have it almost set up correctly. (This is my first squid installation.) I can see squid caching requests and the files in the cache directory being written.

It's a simple configuration, with just one squid proxy in front of one application server (Apache/Tomcat combination, which uses apache virtual hosts), although if this works well in dealing with load, we might use more than one proxy.

There are certain urls (like the login/logout response pages) that should never be cached. I can do that with this line in the squid.conf:

acl LOGOUT_LOGIN_REQUEST urlpath_regex Login.do
cache deny LOGOUT_LOGIN_REQUEST

However, when a user is logged in, I don't want to cache anything--for that user.

Originally, I was using
acl LOGGEDIN_SESS req_header Cookie [[:space:]]l=
cache deny LOGGEDIN_SESS

Where the cookie with the name 'l' indicates a user has logged in. (There's another cookie that indicates that a user has logged in as well.)

However, while this works, it appears to remove any pages the user visits from the cache (for everyone else) as well. That's not what I intended, but on reading the docs, it seems entirely reasonable: this ACL "cause[s] the request to not be satisfied from the cache and the reply to not be cached."

A bit more searching revealed the always_direct header, which I can use to force squid to direct certain requests to the origin server.

acl LOGGEDIN_SESS req_header Cookie [[:space:]]l=
always_direct allow LOGGEDIN_SESS

I thought that would work, as always sending the request to the origin server is exactly what I wanted. However, I'm getting a 504 error in the browser when a user is logged in and requests a page. In the access log, I see this: "TCP_CLIENT_REFRESH_MISS:DIRECT" in the access logs. According to http://wiki.squid-cache.org/SquidFaq/SquidLogs, 'DIRECT' means that "The object was fetched from the origin server". But it was not returned to the user. However, the parent does not show the request in its logs, even though it is specified as the 'originserver' in the cache_peer line.

Should I turn on any particular debugging? I turned on all debugging to level 8, and saw this message in the logs (twice):

2007/12/26 10:37:51| WARNING: Forwarding loop detected for:
2007/12/26 10:37:51| storeCreateEntry: 'http://stage.chfops.net/'

Googling on that error message revealed that this message happens whenever Squid seems the same request twice. I theorize that squid gets the request for stage.chfops.net, views the request header, sees that it should direct to the origin server, and directs to stage.chfops.net (rather than reading in the cache_peer line that says that the origin server is 65.xxx.xxx.xxx and forwarding to that server), which is how the loop happens.

I read through the FAQ pages and didn't see anything that seemed to apply, except for the always_direct directive. I googled for always_direct and "reverse proxy" but didn't see anything. Same results with searching the squid-users list.

Any ideas or pointers would be appreciated. If what I want to do just can't be done, I'd appreciate knowing that too.

Thanks for any pointers,
Dan

PS Below is the full text of my squid.conf, configured such that logged in users get the 504 error (comments, whitespace removed).
--------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl CONNECT method CONNECT
acl our_sites dstdomain stage.chfops.net
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_sites
http_access deny all
icp_access allow all
http_port 80 accel vhost
cache_peer 65.38.188.180 parent 80 0 no-query originserver login=PASS
hierarchy_stoplist cgi-bin ?
acl GWT_RPC urlpath_regex /rs/
cache deny GWT_RPC
acl WRITE_REQUESTS urlpath_regex /rw/
cache deny WRITE_REQUESTS
acl REG_WRITE_REQUESTS urlpath_regex Register.do
cache deny REG_WRITE_REQUESTS
acl LOGOUT_LOGIN_REQUEST urlpath_regex Login.do
cache deny LOGOUT_LOGIN_REQUEST
cache_mem 200 MB
maximum_object_size_in_memory 160 KB
cache_dir ufs /var/cache/squid/cache 3500 16 256
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
debug_options ALL,1 20,9
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_effective_user nobody
acl LOGGEDIN_PERS req_header Cookie [[:space:]]Password=
always_direct allow LOGGEDIN_PERS
acl LOGGEDIN_SESS req_header Cookie [[:space:]]l=
always_direct allow LOGGEDIN_SESS
coredump_dir /var/spool/squid
--------------

Reply via email to