[squid-users] Debugging http_access and http_reply_access

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 4 04:06:29 UTC 2016 

On 4/02/2016 1:21 p.m., squid-users wrote:
>> debug_options 11,2 28,3
>>
>> 11,2 gives you the HTTP messages.
>> 28,3 gives you the ACL processing action and results.
>>
>> Its a bit like quantum mechanics at the moment though. You can know 
>> the request mesage details. OR you can know the ACL matching. Not both 
>> at once.
>>
>>
>>> Are there any other debug sections which would be more appropriate 
>>> to the task?  If not, is there another more suitable approach?
>>
>> Why exactly are you doing this? What are you trying to achieve with it?
> 
> The intent is to record which rule matched each request, for accounting & historical purposes.  

That does not explain what you are trying to achieve.


> And also to help less-technical administrators to find (& resolve)
> unexpected behaviour in their http_access policies.

Hmm. What you are asking for will not help very much at all in that
direction unless the config is highly complex or very large. In which
case a medum->high level of knowledge will be needed to go beyond "its
broken" anyway and the process of debugging would be best to involve
isolating the HTTP transaction on a test server where the above debug
outputs can be done to see whats going on.

Specifically its most often not the rule that matched which matters, its
the entire trail of how Squid managed to reach that rule. ie. that 28,3
debug trace.


>  Ideally, it
> would be great to be able to get this information through observation
> alone, without making changes to a live config.

That is possible now. Though admittedly it does take understanding of
how access controls work to read it. But the so does everything. The
very words I've just written require you to have prior knowledge of
English and literacy just to understand. Some knowledge levels are just
mandatory.

If one has a basic level of understanding how Squid access controls work
(see http://wiki.squid-cache.org/SquidFaq/SquidAcls - dont be afraid if
the page length it repeats a lot to ensure different types of people
understand properly) and a copy of the HTTP message (the 11,2 data).
Then it is fairly easy to eyeball the squid.conf and track what Squid
will do during the matching of that message.

Experience (or lack of it) only determines how _fast_ one can trace it.
Even a beginner should be able to do it given a few dozen minutes for
most configs. Most of what I/we do here is point out obvious things
people overlook because they are seeing what they expect to see, not
what is actually written.

Amos

More information about the squid-users mailing list