Re: [squid-users] Cache peer selection with duplicate host names

2017-04-25 Thread Alex Rousskov 
On 04/23/2017 08:57 PM, Amos Jeffries wrote:

> When the
> forwarding logic looks for an open persistent connection for the Student
> IP:port it might get handed the existing Staff connection

FWIW, this behavior is a Squid bug: Since a peer has several
traffic-affecting properties besides its address, the connection
selection logic must obey peer selection choices, even if all peers have
the same addresses. The same underlying problem might result in the
wrong peer used after a hot reconfiguration, even if all peers have
distinct addresses.

Please report this bug to Squid bugzilla. This bug does not have a
trivial fix but hopefully somebody will volunteer to provide or sponsor one.


Thank you,

Alex.
P.S. Workarounds and workload cleanup suggested by Amos is good advice.
I just wanted clearly classify this as a bug (rather than desirable
behavior), so providing or facilitating a quality fix would be welcomed.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Cache peer selection with duplicate host names

2017-04-23 Thread Amos Jeffries 

On 24/04/17 14:12, squid-users wrote:

Hi Squid users,

I'm having some trouble understanding Squid's peer selection algorithms, in
a configuration where multiple cache_peer lines reference the same host.

The background to this is that we wish to present cache service using
multiple accounts at an upstream provider, with account selection taking
place based on the local TCP port (8080, 8181, 8282) the request arrived on.

First we define the cache peers:

cache_peer proxy.myisp.net parent 8080 0 login=staffuser:abc123 no-query
no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
name=Staff
cache_peer proxy.myisp.net parent 8080 0 login=guestuser:abc123 no-query
no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
name=Guest
cache_peer proxy.myisp.net parent 8080 0 login=PASS no-query no-digest
no-netdb-exchange connect-timeout=1 connect-fail-limit=2 name=Student

Then lock access down:

acl localport_Staff localport 8282
acl localport_Guest localport 8181
acl localport_Student localport 8080


localport is taken from the TCP connection arriving into Squid. It may 
be different to the Squid listening port.


So what are your http(s)_port lines ?



cache_peer_access Staff allow localport_Staff !localport_Guest
!localport_Student
cache_peer_access Guest allow localport_Guest !localport_Staff
!localport_Student
cache_peer_access Student allow localport_Student !localport_Guest
!localport_Staff


You do not need these !blah pieces. No single TCP connection can have 
multiple destination ports. So when one of your ACLs matches the others 
cannot be matches.




To reproduce the error, first a connection is made with wget to tcp port
8282:

   http_proxy=http://10.159.192.24:8282/ wget www.monash.edu --delete-after

Squid selects the Staff profile as expected:

   1492999376.993811 10.159.192.26 TCP_MISS/200 780195 GET
http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
"Wget/1.12 (linux-gnu)"

Then another connection is made, this time to port 8080:

   http_proxy=http://10.159.192.24:8080/ wget www.monash.edu --delete-after

But instead of the desired Student profile being selected, the Staff profile
is still used instead:

   1492999405.953338 10.159.192.26 TCP_MISS/200 780195 GET
http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
"Wget/1.12 (linux-gnu)"

I had a look in the cache.log with debug_options 44,6 enabled.  None of the
messages reference the contents of the name= parameter in the cache_peer
lines; only hostnames and IP addresses are mentioned.  I suspect that the
peer selection algorithms have changed since Squid 3.1, whereby peers are
now selected based on hostname (or IP address) rather than the name defined
in the cache_peer line.  Is this correct?


No the peer selection still works based on the name.  But that name now 
gets translated to a list of IP:port destinations that can be tried by 
the forwarding logic.


I think what you are seeing is the side effect of the peers all having 
the same IP:port details versus HTTP persistent connections. When the 
forwarding logic looks for an open persistent connection for the Student 
IP:port it might get handed the existing Staff connection - since they 
both have the same IP:port they are the same server as far as HTTP is 
concerned.


You could try turning persistence to servers off


... or using a different port for each of the cache_peer lines and 
NAPT'ing them on the outgoing TCP connections back to what the upstream 
peer actually uses.



Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Cache peer selection with duplicate host names

2017-04-23 Thread squid-users 
Hi Squid users,

I'm having some trouble understanding Squid's peer selection algorithms, in
a configuration where multiple cache_peer lines reference the same host.

The background to this is that we wish to present cache service using
multiple accounts at an upstream provider, with account selection taking
place based on the local TCP port (8080, 8181, 8282) the request arrived on.

First we define the cache peers:

cache_peer proxy.myisp.net parent 8080 0 login=staffuser:abc123 no-query
no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
name=Staff
cache_peer proxy.myisp.net parent 8080 0 login=guestuser:abc123 no-query
no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
name=Guest
cache_peer proxy.myisp.net parent 8080 0 login=PASS no-query no-digest
no-netdb-exchange connect-timeout=1 connect-fail-limit=2 name=Student

Then lock access down:

acl localport_Staff localport 8282
acl localport_Guest localport 8181
acl localport_Student localport 8080
cache_peer_access Staff allow localport_Staff !localport_Guest
!localport_Student
cache_peer_access Guest allow localport_Guest !localport_Staff
!localport_Student
cache_peer_access Student allow localport_Student !localport_Guest
!localport_Staff

To reproduce the error, first a connection is made with wget to tcp port
8282:

  http_proxy=http://10.159.192.24:8282/ wget www.monash.edu --delete-after

Squid selects the Staff profile as expected:

  1492999376.993811 10.159.192.26 TCP_MISS/200 780195 GET
http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
"Wget/1.12 (linux-gnu)"

Then another connection is made, this time to port 8080:

  http_proxy=http://10.159.192.24:8080/ wget www.monash.edu --delete-after

But instead of the desired Student profile being selected, the Staff profile
is still used instead:

  1492999405.953338 10.159.192.26 TCP_MISS/200 780195 GET
http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
"Wget/1.12 (linux-gnu)"

I had a look in the cache.log with debug_options 44,6 enabled.  None of the
messages reference the contents of the name= parameter in the cache_peer
lines; only hostnames and IP addresses are mentioned.  I suspect that the
peer selection algorithms have changed since Squid 3.1, whereby peers are
now selected based on hostname (or IP address) rather than the name defined
in the cache_peer line.  Is this correct?  If so, is there any other way to
achieve the functionality outlined above (hit different usernames on an
upstream peer based on which localport the request arrived on?)

Cheers
Luke


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users