Re: [squid-users] Re: Squid and Splash page

2011-12-31 Thread Amos Jeffries 

On 31/12/2011 9:12 p.m., ming wrote:

when I compiled 3.1.17 on ubuntu 10.04 64bit, I got the following error. is
it a known issue?


Yes, and was fixed in the newer release. Please build the latest in the 
series when self-compiling.


Speaking of which, if you need eCAP, ICAP, or adaptation use the daily 
bug fix instead of 3.1.18 as there is a similar issue in that package 
for them.


Amos

Re: [squid-users] Re: Squid and Splash page

2011-12-30 Thread Amos Jeffries 

On 30/12/2011 8:14 p.m., ming wrote:

I have these acl settings in my squid.conf

external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %{X-MYAUTH}
/usr/local/bin/acexternal localhost
acl iceauth external acexternal
http_access allow iceauth
http_access deny all

I turned on debug mode and see the following message. I noticed that there
is a message (in red) saying that the externalAclLookup: no need to work...
This custom external acl program should return OK, but because of no
wait situation, it get to the http_access deny all acl and the request
got denied

snip


===
Then I played around the acl and have the following setup using deny !
instead of allow on iceauth. But then I need to use allow all instead of
deny all...

external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %{X-MYAUTH}
/usr/local/bin/acexternal localhost
acl iceauth external acexternal
http_access deny !iceauth
http_access allow all

I noticed that in the debug message, the same no wait message above turned
into a will wait situation (see below message in red). Since it waits, it
got OK returned from the custom acl program.
It seems works for what I need but I need to use allow all that I don't
really like.

snip


- Can you please explain why there is a no wait in the 1st setup, but
will wait in the 2nd setup?



The wait case the input line is completely new and a lookup answer is 
waited for.


There is already a known answer in the no wait case. A re-check is 
scheduled, but there is no need to wait for that answer, Squid already 
has one it can use immediately.

...
externalAclLookup: no need to wait for the result of 
'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal' (ch=0x23a5698).

externalAclLookup: using cached entry 0x23adf58
externalAclLookup: entry = { date=1325109258, result=1, user= tag= 
log=myKey }

ACLChecklist::asyncInProgress: 0x23a5698 async set to 0
aclmatchAclList: async=1 nodeMatched=0 async_in_progress=0 
lastACLResult() = 0 finished() = 0


Note: result=1 is OK.  Why nodeMatched=0 happens is unclear. I think 
it should be =1 at that point.


There was a bug (#3412) fixed in the grace period handling in 3.1.17, 
does this still occur with the latest release?


If so can you please try the proposed patch from bug 3370 
(http://bugs.squid-cache.org/show_bug.cgi?id=3370). It does not seem 
directly related, but would be worth checking anyway.



- I don't want to use allow all. is there any better way to set the acl to
serve my need?


The first setup seems to be the right one. Once the bug is fixed.

Amos

Re: [squid-users] Re: Squid and Splash page

2011-12-30 Thread Amos Jeffries 

On 31/12/2011 11:27 a.m., ming wrote:

Hi Amos

I saw there are two patches in this bug

Attachments
eacl: cache expired positive (780 bytes, patch)
2011-11-24 08:10 MST, Denis Kaganovich  Details | Diff

roposed fix for 3.1 (1.73 KB, patch)
2011-12-21 18:30 MST, Amos Jeffries Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

should I apply both?


Just the second one labeled proposed.

Amos

Re: [squid-users] Re: Squid and Splash page

2011-12-28 Thread Amos Jeffries 

On 28/12/2011 3:19 p.m., Ming Pun wrote:
Thanks for the prompt response. It is very useful. I was playing 
external_acl_type to understand how it works.


a couple of questions
- when a request did not pass external acl , I got a HTTP 403.  How 
can I make it to return 401 instead?


That is automatic when the %LOGIN tag is set for the helper input 
format. %LOGIN pulls credentials out of HTTP authentication headers.


Alternatively the latest squid can attach a deny_info display or 
redirect with custom status code when the ACL test is last on an access 
line (ie http_acces deny).


- how do I write an external acl program to support concurrency? I 
followed some example on the internet. The program basically parses 
stdio for input parameters, and writes out the result to stdout?


Yes. The helper protocol is documented here 
http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29


Amos

Re: [squid-users] Re: Squid and Splash page

2011-12-27 Thread Amos Jeffries 

On 28/12/2011 8:29 a.m., ming wrote:

I got similar error as follows:

2011/12/15 01:59:00.942| aclMatchExternal:
acexternal(Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==)
= lookup needed
2011/12/15 01:59:00.942| aclMatchExternal:
Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==:
entry=@0x3cecea8, age=69
2011/12/15 01:59:00.942| aclMatchExternal:
Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==:
queueing a call.
2011/12/15 01:59:00.942| aclMatchExternal:
Basic%20ZDA5NmQzYTItMDcxZS00ODViLTk3MDQtNzIyZGYzYWM2NTU2OjczZGMxOGI4LWY0ZGYtNDVhZi1hZDViLTllYTUyYTE2MDhkNA==:
return -1.

I am using 3.1.16.
my external_acl_type is as follows:

external_acl_type acexternal children=20 ttl=60 negative_ttl=1 %{X-MYAUTH}
/usr/local/bin/acexternal localhost

Am I hitting the same error?


What error? (you have erased the post history from your reply to this 
old [dead?] thread.)


And why are you passing clear-text username:password details in a custom 
header which could get cached? If you want to use auth please use the 
proper HTTP auth headers. Custom _schemes_ are permitted as long as they 
fit within the HTTP requirements (looks like you could use the Basic 
auth definitions with a different scheme name).




---
I found the following code segment in external_acl.cc


 if (acl-def-theHelper-stats.queue_size=
acl-def-theHelper-n_running) {
 debugs(82, 2, aclMatchExternal: \  key  \: queueing
a call.);
 ch-changeState(ExternalACLLookup::Instance());
 debugs(82, 2, aclMatchExternal: \  key  \: return
-1.);
 return -1; // to get here we have to have an expired cache
entry. MUST not use.


Can you please explain in what situations that this code segment will be
executed?


theHelper-stats.queue_size= theHelper-n_running

More requests are queued to be processed than there are helpers to 
handle them.

Solutions:
 * increase your helper number,
 * alter your helper to support concurrency and adjust the squid.conf,
 * increase the helper response TTL, to serve more lookups out of the 
helper response cache.


Amos