[squid-users] behavior of external acl helper in Squid 3.5.13

Sreenath BH bhsreenath at gmail.com
Sat Jan 23 04:13:47 UTC 2016 

Hi All,

before posting I should have read documentation completely.

I set both ttl and negative_ttl to zero, and it is working fine.

thanks,
Sreenath


On 1/22/16, Sreenath BH <bhsreenath at gmail.com> wrote:
> Hi
>
> I am using an external helper for authentication. I have just one
> http_access in squid.conf that refers to this external helper.
>
> I also have a url rewriter to which I pass some information using "tag"
> key.
> I observed that the acl is not invoked in several cases, just calling
> the url rewriter.
>
> Squid sometimes seems to skip acl phase and directly proceeds to url
> rewriter.
>
> Are there cases when squid proceedss without performing external acl?
> Please see log lines below:
>
> ------------------
> 2016/01/22 14:46:52.091 kid1| 23,3| url.cc(357) urlParse: urlParse:
> Split URL 'http://localhost:3000/file/download?key=XXXYYY' into
> proto='http', host='localhost', port='3000',
> path='/file/download?key=XXXYYY'
> 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
> GetFirstAvailable: Running servers 1
> 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1309) helperDispatch:
> helperDispatch: Request sent to jio_helper #Hlpr4, 26 bytes
> 2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(386) helperSubmit:
> buf[26]=/file/download?key=XXXYYY
>
> 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(866) helperHandleRead:
> helperHandleRead: 18 bytes from jio_helper #Hlpr4
> 2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(875) helperHandleRead:
> accumulated[18]=OK tag=something4
>
> 2016/01/22 14:46:52.091 kid1| 84,3| helper.cc(892) helperHandleRead:
> helperHandleRead: end of reply found
> 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(29) parse: Parsing helper
> buffer
> 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(48) parse: Buff length is
> larger than 2
> 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
> 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
> GetFirstAvailable: Running servers 1
> 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch:
> helperDispatch: Request sent to redirector #Hlpr2, 58 bytes
> 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit:
> buf[58]=http://localhost:3000/file/download?key=XXXYYY something4
>
> 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
> GetFirstAvailable: Running servers 1
> *** http://localhost:3000/file/download?key=XXXYYY something4
> 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead:
> helperHandleRead: 28 bytes from redirector #Hlpr2
> 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead:
> accumulated[28]=OK rewrite-url="something4"
>
> 2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead:
> helperHandleRead: end of reply found
> 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper
> buffer
> 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is
> larger than 2
> 2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
> 2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
> GetFirstAvailable: Running servers 1
> 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch:
> helperDispatch: Request sent to redirector #Hlpr2, 58 bytes
> 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit:
> buf[58]=http://localhost:3000/file/download?key=XXXYYY something4
>
> 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
> GetFirstAvailable: Running servers 1
>
> 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead:
> helperHandleRead: 28 bytes from redirector #Hlpr2
> 2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead:
> accumulated[28]=OK rewrite-url="something4"
>
> 2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead:
> helperHandleRead: end of reply found
> 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper
> buffer
> 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is
> larger than 2
> 2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
> 2016/01/22 14:46:52.092 kid1| ERROR: URL-rewrite produces invalid
> request: GET something4 HTTP/1.1
> 2016/01/22 14:46:52.092 kid1| 11,5| HttpRequest.cc(474) detailError:
> current error details: 6/0
> 2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1391)
> sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35075 FD
> 9 flags=1
> 2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1392)
> sendStartOfMessage: HTTP Client REPLY:
> ---------
> HTTP/1.1 500 Internal Server Error^M
> Server: squid/3.5.13^M
> Mime-Version: 1.0^M
> Date: Fri, 22 Jan 2016 14:46:52 GMT^M
> Content-Type: text/html;charset=utf-8^M
> Content-Length: 3889^M
> X-Squid-Error: ERR_CANNOT_FORWARD 0^M
> Vary: Accept-Language^M
> Content-Language: en^M
> X-Cache: MISS from TEJ-DL-CS-SERVER04^M
> Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M
> Connection: keep-alive^M
> ^M
>
> ----------
> 2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
> GetFirstAvailable: Running servers 1
> 2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2345)
> parseHttpRequest: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD 9
> flags=1
> 2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2346)
> parseHttpRequest: HTTP Client REQUEST:
> ---------
> GET /file/download?key=XXXYYY HTTP/1.1^M
> User-Agent: curl/7.37.1^M
> Host: localhost:3000^M
> Accept: */*^M
> ^M
>
> ----------
> 2016/01/22 14:47:13.103 kid1| 23,3| url.cc(357) urlParse: urlParse:
> Split URL 'http://localhost:3000/file/download?key=XXXYYY' into
> proto='http', host='localhost', port='3000',
> path='/file/download?key=XXXYYY'
> 2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
> GetFirstAvailable: Running servers 1
> 2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1309) helperDispatch:
> helperDispatch: Request sent to redirector #Hlpr2, 58 bytes
> 2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(386) helperSubmit:
> buf[58]=http://localhost:3000/file/download?key=XXXYYY something4
>
> *** http://localhost:3000/file/download?key=XXXYYY something4
> 2016/01/22 14:47:13.104 kid1| 84,5| helper.cc(866) helperHandleRead:
> helperHandleRead: 28 bytes from redirector #Hlpr2
> 2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(875) helperHandleRead:
> accumulated[28]=OK rewrite-url="something4"
>
> 2016/01/22 14:47:13.104 kid1| 84,3| helper.cc(892) helperHandleRead:
> helperHandleRead: end of reply found
> 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(29) parse: Parsing helper
> buffer
> 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(48) parse: Buff length is
> larger than 2
> 2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
> 2016/01/22 14:47:13.104 kid1| ERROR: URL-rewrite produces invalid
> request: GET something4 HTTP/1.1
> 2016/01/22 14:47:13.104 kid1| 11,5| HttpRequest.cc(474) detailError:
> current error details: 6/0
> 2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1391)
> sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD
> 9 flags=1
> 2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1392)
> sendStartOfMessage: HTTP Client REPLY:
> ---------
> HTTP/1.1 500 Internal Server Error^M
> Server: squid/3.5.13^M
> Mime-Version: 1.0^M
> Date: Fri, 22 Jan 2016 14:47:13 GMT^M
> Content-Type: text/html;charset=utf-8^M
> Content-Length: 3889^M
> X-Squid-Error: ERR_CANNOT_FORWARD 0^M
> Vary: Accept-Language^M
> Content-Language: en^M
> X-Cache: MISS from TEJ-DL-CS-SERVER04^M
> Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M
> Connection: keep-alive^M
> ^M
> ----------------------------------
>
> Here is  Squid.conf
>
> debug_options ALL,1 31,10 23,10 84,10 11,10,44
> redirect_rewrites_host_header off
>
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly
> plugged) machines
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> ###http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> ###http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> ##  http_access allow localhost manager
> ##  http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
>
> external_acl_type jio_helper children-max=1 %PATH /usr/local/bin/acl
> acl AclName external jio_helper
> http_access allow AclName
>
> #http_access allow localnet
> #http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3000 accel defaultsite=mysite.com vhost
>
> url_rewrite_program /usr/local/bin/rewrite
> url_rewrite_extras "%et"
>
> # Uncomment and adjust the following to add a disk cache directory.
> #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /usr/local/squid/var/cache/squid
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> --------------
>
> As can be seen above, the first time a request was sent, the external
> ACL helper was called, and then the url rewrite was called. When the
> same request was repeated, squid skipped the acl helper, and proceeded
> with URL rewriter.
>
> If the acl helpers have exited, does squid stop processing requests?
>
> Also, does setting the "tag" or clt_conn_tag have any effect on the
> processing of requests by squid?
>
> thanks,
> Sreenath
>

More information about the squid-users mailing list