[squid-dev] [PATCH] transaction_initiator ACL for detecting various unusual transactions

Christos Tsantilas christos at chtsanti.net
Mon Jun 12 20:29:34 UTC 2017


Στις 10/06/2017 04:02 μμ, ο Amos Jeffries έγραψε:
> On 08/06/17 22:41, Christos Tsantilas wrote:
>> This ACL is essential in several use cases, including:
>>
>> * After fetching a missing intermediate certificate, Squid uses the 
>> regular cache (and regular caching rules) to store the response. Squid 
>> deployments that do not want to cache regular traffic need to cache 
>> fetched certificates and only them.
>>
>>   acl fetched_certificate transaction_initiator certificate-fetching
>>   cache allow fetched_certificate
>>   cache deny all
>>
>> * Many traffic policies and tools assume the existence of an HTTP 
>> client behind every transaction. Internal Squid requests violate that 
>> assumption. Identifying internal requests protects external ACLs, log 
>> analysers, and other mechanisms from the transactions they mishandle.
>>
>>   acl skip_logging transaction_initiator internal
>>   access_log ... !skip_logging
>>
>>
>> The new transaction_initiator ACL classifies transactions based on 
>> their initiator. Currently supported initiators are esi, 
>> certificate-fetching, cache-digest, internal, client, and all. In the 
>> future, the same ACL will be able to identify HTTP/2 push transactions 
>> using the "server" initiator. See src/cf.data.pre for details.
>>
>> This is a Measurement Factory project.
> 
> +1, though could you please separate the redesign of urlParse*() API 
> from the ACL addition. They are changes that can be done in either order 
> and not interdependent. In fact the urlParse change is almost identical 
> to one of the steps already taken in the class URI refactoring branch 
> years back and long overdue being merged.


The urlParse changes committed as r15191 and 15193.
The patch implement the transaction_initiator acl applied as r15194



> 
> Amos
> 
> _______________________________________________


More information about the squid-dev mailing list