[squid-users] After a Successful PURGE, Still Get TCP-DENIED

Amos Jeffries squid3 at treenet.co.nz
Sun Dec 14 05:29:48 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 14/12/2014 5:49 p.m., dkovacevic wrote:
> I have an external_acl_type directive which returns "OK" or "ERR"
> depending on a database query.

Ok.

> 
> The problem is this: when the database is updated, which should
> permit the site to be accessed,

Ok.

> Squid has the previous response cached,

Irrelevant. ACL managing *access* to an object does not matter where
it comes from, the only thing that matters is whether access is
allowed/denied.

> the result being continued "access denied" responses until either
> Squid is restarted or the result expires (where?).

generated != cached.

"Access denied" object is being generated by Squid. Results
*generated* by Squid are not cached by Squid.

> 
> I attempted to clear the cache by using PURGE request via
> squidclient, which is successful in clearing the cache, but not the
> result decision (TCP-DENIED). After running the PURGE, doing a
> refresh in browser causes another lookup in Squid- but Squid then
> returns "access-denied" (no database query).
> 
> What do I need to do to force Squid to check the ACL after a
> browser refresh?

You seem to be mistaking what is cached.

1) The DB has an internal cache of query/response, the DB lookup
result from the helepr may becoming from there. SQL/relational
databases ACID compliance prevents this cache interferring if the DB
has been updated, but if you are using a NoSQL database or distributed
cluster DB it can affect things quite badly.

2) Some helpers have internal caches to quickly respond to queries.
external ACL helpers not so much becasue of #3, but this is a possibility.

3) Squid has a cache for each helpers responses. Such that if you send
the same query twice the repeats get serviced quickly from the helper
cache. This is controlled by the various ttl=, negative_ttl= and
cache= options of external_acl_type directive.
  http://www.squid-cache.org/Doc/config/external_acl_type/

4) Squid has an HTTP object cache for *external* server produced
objects in the HTTP traffic.
 - PURGE is an HTTP method, it only affects this cache.


I think #3 is what you are having trouble with. The default is 60
minutes caching for helper responses. So there will be a 1 hour delay
between updating the DB and any change visible in Squid HTTP responses.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUjSBKAAoJELJo5wb/XPRj6UAH/2x7iTYM6gx1+kQ0YJmh1vsF
ckebcQVXHpb8ww2G+LmH0D7LVCz4OlsdxXEYM5lVHxoIa6BNBnlvXONGk3Y/8l78
yLBEHdj1lktAigpleU2TI+4tVVKFdRWBEqQF0ICzxFVsmH4GKWgT+I0EJ6b/bsAO
VExbR0bKd1mqXWG08yEpcXlrLug8eVMTo8qsn8eyCVsRpjKhW1fp2g2i+TncwLqy
eg2HqTEQBnCkkjIA2dwzQkSFhRKiEpa1xcwF6+6pDSY82nU/MvCPG+MYLRBaH8FL
BopNwjKQyMiLK5QxOFK5z2FCKIUseFGtvjioctBATESFdX1LYqZWG408mJg248U=
=Me+/
-----END PGP SIGNATURE-----

More information about the squid-users mailing list