[squid-dev] [PATCH] transaction_initiator ACL for detecting various unusual transactions

Amos Jeffries squid3 at treenet.co.nz
Sat Jun 10 13:02:06 UTC 2017


On 08/06/17 22:41, Christos Tsantilas wrote:
> This ACL is essential in several use cases, including:
>
> * After fetching a missing intermediate certificate, Squid uses the 
> regular cache (and regular caching rules) to store the response. Squid 
> deployments that do not want to cache regular traffic need to cache 
> fetched certificates and only them.
>
>   acl fetched_certificate transaction_initiator certificate-fetching
>   cache allow fetched_certificate
>   cache deny all
>
> * Many traffic policies and tools assume the existence of an HTTP 
> client behind every transaction. Internal Squid requests violate that 
> assumption. Identifying internal requests protects external ACLs, log 
> analysers, and other mechanisms from the transactions they mishandle.
>
>   acl skip_logging transaction_initiator internal
>   access_log ... !skip_logging
>
>
> The new transaction_initiator ACL classifies transactions based on 
> their initiator. Currently supported initiators are esi, 
> certificate-fetching, cache-digest, internal, client, and all. In the 
> future, the same ACL will be able to identify HTTP/2 push transactions 
> using the "server" initiator. See src/cf.data.pre for details.
>
> This is a Measurement Factory project.

+1, though could you please separate the redesign of urlParse*() API 
from the ACL addition. They are changes that can be done in either order 
and not interdependent. In fact the urlParse change is almost identical 
to one of the steps already taken in the class URI refactoring branch 
years back and long overdue being merged.

Amos



More information about the squid-dev mailing list