Re: [squid-users] Re: Squid and Splash page
On 31/12/2011 9:12 p.m., ming wrote: when I compiled 3.1.17 on ubuntu 10.04 64bit, I got the following error. is it a known issue? Yes, and was fixed in the newer release. Please build the latest in the series when self-compiling. Speaking of which, if you need eCAP, ICAP, or adaptation use the daily bug fix instead of 3.1.18 as there is a similar issue in that package for them. Amos
Re: [squid-users] Re: Squid and Splash page
On 30/12/2011 8:14 p.m., ming wrote: I have these acl settings in my squid.conf external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %{X-MYAUTH} /usr/local/bin/acexternal localhost acl iceauth external acexternal http_access allow iceauth http_access deny all I turned on debug mode and see the following message. I noticed that there is a message (in red) saying that the externalAclLookup: no need to work... This custom external acl program should return OK, but because of no wait situation, it get to the http_access deny all acl and the request got denied snip === Then I played around the acl and have the following setup using deny ! instead of allow on iceauth. But then I need to use allow all instead of deny all... external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %{X-MYAUTH} /usr/local/bin/acexternal localhost acl iceauth external acexternal http_access deny !iceauth http_access allow all I noticed that in the debug message, the same no wait message above turned into a will wait situation (see below message in red). Since it waits, it got OK returned from the custom acl program. It seems works for what I need but I need to use allow all that I don't really like. snip - Can you please explain why there is a no wait in the 1st setup, but will wait in the 2nd setup? The wait case the input line is completely new and a lookup answer is waited for. There is already a known answer in the no wait case. A re-check is scheduled, but there is no need to wait for that answer, Squid already has one it can use immediately. ... externalAclLookup: no need to wait for the result of 'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal' (ch=0x23a5698). externalAclLookup: using cached entry 0x23adf58 externalAclLookup: entry = { date=1325109258, result=1, user= tag= log=myKey } ACLChecklist::asyncInProgress: 0x23a5698 async set to 0 aclmatchAclList: async=1 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 Note: result=1 is OK. Why nodeMatched=0 happens is unclear. I think it should be =1 at that point. There was a bug (#3412) fixed in the grace period handling in 3.1.17, does this still occur with the latest release? If so can you please try the proposed patch from bug 3370 (http://bugs.squid-cache.org/show_bug.cgi?id=3370). It does not seem directly related, but would be worth checking anyway. - I don't want to use allow all. is there any better way to set the acl to serve my need? The first setup seems to be the right one. Once the bug is fixed. Amos
Re: [squid-users] Re: Squid and Splash page
On 31/12/2011 11:27 a.m., ming wrote: Hi Amos I saw there are two patches in this bug Attachments eacl: cache expired positive (780 bytes, patch) 2011-11-24 08:10 MST, Denis Kaganovich Details | Diff roposed fix for 3.1 (1.73 KB, patch) 2011-12-21 18:30 MST, Amos Jeffries Details | Diff Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.) should I apply both? Just the second one labeled proposed. Amos
Re: [squid-users] Re: Squid and Splash page
On 28/12/2011 3:19 p.m., Ming Pun wrote: Thanks for the prompt response. It is very useful. I was playing external_acl_type to understand how it works. a couple of questions - when a request did not pass external acl , I got a HTTP 403. How can I make it to return 401 instead? That is automatic when the %LOGIN tag is set for the helper input format. %LOGIN pulls credentials out of HTTP authentication headers. Alternatively the latest squid can attach a deny_info display or redirect with custom status code when the ACL test is last on an access line (ie http_acces deny). - how do I write an external acl program to support concurrency? I followed some example on the internet. The program basically parses stdio for input parameters, and writes out the result to stdout? Yes. The helper protocol is documented here http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29 Amos
Re: [squid-users] Re: Squid and Splash page
On 28/12/2011 8:29 a.m., ming wrote: I got similar error as follows: 2011/12/15 01:59:00.942| aclMatchExternal: acexternal(Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==) = lookup needed 2011/12/15 01:59:00.942| aclMatchExternal: Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==: entry=@0x3cecea8, age=69 2011/12/15 01:59:00.942| aclMatchExternal: Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==: queueing a call. 2011/12/15 01:59:00.942| aclMatchExternal: Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==: return -1. I am using 3.1.16. my external_acl_type is as follows: external_acl_type acexternal children=20 ttl=60 negative_ttl=1 %{X-MYAUTH} /usr/local/bin/acexternal localhost Am I hitting the same error? What error? (you have erased the post history from your reply to this old [dead?] thread.) And why are you passing clear-text username:password details in a custom header which could get cached? If you want to use auth please use the proper HTTP auth headers. Custom _schemes_ are permitted as long as they fit within the HTTP requirements (looks like you could use the Basic auth definitions with a different scheme name). --- I found the following code segment in external_acl.cc if (acl-def-theHelper-stats.queue_size= acl-def-theHelper-n_running) { debugs(82, 2, aclMatchExternal: \ key \: queueing a call.); ch-changeState(ExternalACLLookup::Instance()); debugs(82, 2, aclMatchExternal: \ key \: return -1.); return -1; // to get here we have to have an expired cache entry. MUST not use. Can you please explain in what situations that this code segment will be executed? theHelper-stats.queue_size= theHelper-n_running More requests are queued to be processed than there are helpers to handle them. Solutions: * increase your helper number, * alter your helper to support concurrency and adjust the squid.conf, * increase the helper response TTL, to serve more lookups out of the helper response cache. Amos