On Thu, 14 Oct 2004, Christoph Haas wrote:
Just to be sure: when I run through an "http_access allow ldapgroup42" wouldn't then the cache be refreshed?
Yes, at the time of http_access.
So if I do the icap_access right after that I would always have this information in the cache, right?
Provided there is absolutely nothing else withing Squid which delays the request until icap_access is reached. I am not 100% familiar with where icap_access is in the code but there is numerous points where requests may be delayed within Squid
- http_access acl processing - redirectors - peer selection - and many more.
If I am not mistaken the icap_access is after redirectors, so if you use redirectors there is an window while the request is being processd by the redirector where the cached acl infomration may expire between http_access and icap_access.
(Assumed that the TTL is greater than the time needed to lookup the LDAP group. My TTL is set to 60 seconds.)
The TTL is counted from the time the answer arrives.
I also assume that this behavior will not be removed shortly. Right?
Which?
The TTL is there permanently.
Over time more and more of the "fast only" acl lookups gets converted to full acl lookups, allowing Squid to postpone the processing of the request until the required information is available.
Regards Henrik
