Re: [squid-users] How to trick splay trees?

[Eliezer Croitoru]

On 7/31/2012 12:50 PM, Jannis Kafkoulas wrote:
Thanks for the quick answer!
Now I see that I didn't express myself precisely enough :-(

"to also go via  cache_peer par-alt." wasn't meant as an alternative (either or) but as 
"as well as the domain ".fa-intracomp.net" :-)

in other words, abc.intracomp.com should be directed only to par-alt.

...

thanks

so it's pretty simple..
as the acls goes for first "HITS" there is nothing to trick the splay 
trees but just use a more explicit ACLS with a "deny" one first.

##start
acl alt dstdomain .fa-intracomp.net
acl std dstdomain .intracomp.com
acl alt-2 dstdom_regex -i abc.intracomp.com

cache_peer 192.10.10.22    parent    3128    0     no-query login=PASS 
proxy-only no-digest name=par-std
cache_peer 192.10.10.22    parent    80    0     no-query login=PASS 
proxy-only no-digest name=par-alt
#first use an explicit dney for the abc...
# so first this domain will not pass using this proxy
# then allow the other proxy.
# and it's recommended to separate the acls for the two proxies.
cache_peer_access  par-std deny alt-2
cache_peer_access  par-alt  allow alt-2
cache_peer_access  par-alt  allow alt
cache_peer_access  par-std  allow std
##end

i would put it in my squid.conf in another order for it t be more 
understandable for the human eye\mind to match the algorithm that squid 
uses for acls.

##start

#acls part with notes about purpose of each acl if neede.
acl alt dstdomain .fa-intracomp.net
acl std dstdomain .intracomp.com
acl alt-2 dstdom_regex -i abc.intracomp.com


#cache peers part:

#cache peer 1
cache_peer 192.10.10.22    parent    3128    0     no-query login=PASS 
proxy-only no-digest name=par-std

#cache peer 1 acls
cache_peer_access  par-std deny alt-2
cache_peer_access  par-std  allow std
#....


#cache peer 2
cache_peer 192.10.10.22    parent    80    0     no-query login=PASS 
proxy-only no-digest name=par-alt

#cache peer 2 acls
cache_peer_access  par-alt  allow alt-2
cache_peer_access  par-alt  allow alt

##end

so you do know which proxy will match first explictly
you will have the acls ordered per cache_peer and there for you see 
better how squid will approach to the cache_peers.

Regards,
Eliezer



--- El Lun 30/7/12, Amos Jeffries <squ...@treenet.co.nz> escribió:

De: Amos Jeffries <squ...@treenet.co.nz>
Asunto: Re: [squid-users] How to trick splay trees?
Para: squid-users@squid-cache.org
Fecha: Lunes 30 de Julio de 2012 15:25
On 31/07/2012 1:25 a.m., Jannis
Kafkoulas wrote:
Hi,

(I use squid 2.7. STABLE9 on RedHat EL 5.6)

Following problem:

I have following dstdomains defined
going to par-std and par-alt  cache_peers
respectively:

acl alt dstdomain .fa-intracomp.net
acl std dstdomain .intracomp.com

Now I'd like  "abc.intracomp.com"  to also go
via  cache_peer par-alt.

Following two tries didn't work:

# acl alt-2 dstdom_regex -i abc.intracomp.com
# acl alt dstdomain abc.intracomp.com

The dstdomain one is faster. Both are correct for your
requested policy.
The key word you stated being "also" ...


The requests were sent to par-std cache_peer

cache_peer 192.10.10.22    parent
   3128    0     no-query
login=PASS proxy-only no-digest name=par-std
cache_peer 192.10.10.22    parent
   80    0     no-query
login=PASS proxy-only no-digest name=par-alt

cache_peer_access  par-alt  allow alt-2
cache_peer_access  par-alt  allow alt
cache_peer_access  par-std  allow std


Is there a way for that to work at all?

Unless given some specific selection algorithm (digest, ICP,
hshes,
carp, roundrobin etc) Squid lists peers in configuration
order when
attemping to pass traffic.

As I said above the key word in your policy statements is
"also" - with
both peers *available* for use Squid will pick the first one
that works.
With par-std being listed first your logs will show it being
used until
such time as it becomes unresponsive or overloaded. Then
par-alt will
pick up the slack for that one domain.

I think you are looking at the logs and seeing only par-std,
thinking
its not working when actually it is. You can test by
changing the order
of cache_peer definitions in your config and seeing the
preferred peer
switch to the par-alt when the new ACL is added.

NOTE: you canot send a request via *both* using TCP unicast
links, just one.

Amos



--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il