[squid-users] Proper Cache Peer Access

Amos Jeffries squid3 at treenet.co.nz
Fri Dec 16 11:41:34 UTC 2016

On 14/12/2016 2:56 p.m., creditu at eml.cc wrote:
> On Tue, Dec 13, 2016, at 06:33 PM, Amos Jeffries wrote:
>> On 14/12/2016 2:10 p.m., creditu wrote:
>>> Looking for the best way to provide cache peer access for two urls on a
>>> 3.1 accelerator.  For example if a set of backend servers fullfill
>>> requests for both www.example.com and www-legacy.example.com is the
>>> following the correct way to handle them in regards to the cach peer
>>> access? 
>> What you have works and is fine for simple setups like yours.
>> However, since you ask for "proper" ...
>> <snip>
>>> # Backend servers for www and www-legacy
>>> acl www dstdomain www.example.com
>>> acl www-legacy dstdomain www-legacy.example.com
>> Recommended practice when you have same-type data and ACLs used in
>> identical ways like these ones. Is to place both those domain values in
>> the one ACL named 'www'. That will simplify your access lines.
>> There are some tiny memory and (cumulative) speed gains. But the biggest
>> reason is easier understanding and maintenance of the config if/when it
>> gets more complex.
>> Amos
>> _______________
> Ah, so you would do something like this:
> acl www dstdomain www.example.com www-legacy.example.com
> cache_peer parent 80 0 no-query no-digest originserver
> round-robin
> cache_peer_access allow www
> cache_peer_access deny all
> . . .

I would, yes.

> I was worried about a situation that was detailed in
> http://wiki.squid-cache.org/SquidFaq/SquidAcl#And.2FOr_logic (the src
> address example).  Thanks

You are more likely to make that mistake with the differently named ACLs
config. That's part of the simplicity==good reasoning.

Using them as the only condition on different but sequential lines is an
OR condition. Putting two values in one named ACL is also an OR
condition. So for simple types like dstdomain the two ways of writing
'OR' are equivalent and the simpler way is better for reasons other than
than technical ones (harder for us humans to make mistakes with).

For some ACL types which have side effects (like helper or remote data
lookups) the use of multiple allow/deny lines can behave differently
than one ACL check. Which can be useful if you want that, but not what
you have going on here.


More information about the squid-users mailing list