[squid-users] Introducing delay to HTTP 407 responses

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 4 11:18:43 UTC 2016 

On 4/10/2016 11:53 p.m., squid-users at filter.luko.org wrote:
> Eliezer,
> 
> Thankyou for your reply, I tried the following:
> 
>> Hey Luke,
>>
>> Try to use the next line instead:
>> external_acl_type delay ttl=1 negative_ttl=0 cache=0 %SRC %SRCPORT %URI /tmp/delay.pl
>>
>> And see what happens.
> 
> But it's not introducing a delay into the response.  Running strace across the pid of each child helper doesn't show any activity across those processes either.
> 

The purpose of that helper is to receive all lookups, and actively pause
responding to them. Having any TTL/cache values except "ttl=0
negative_ttl=0 cache=0" in those options bypasses the helper.


> I also tried the approach suggested by Amos:
> 
>> The outcome of that was a 'ext_delayer_acl helper in Squid-3.5
>>
>> <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_delayer_acl.html>
>>
>> It works slightly differently to what was being discussed in the thread.
>> see the man page for details on how to configure it.
> 
> Using the following config:
> 
> external_acl_type delay concurrency=100000 children-max=2 children-startup=1 children-idle=1 cache=10 %URI /tmp/ext_delayer_acl -w 1000 -d
> acl http-response-407 http_status 407
> acl delay-1sec external delay
> http_reply_access deny http-response-407 delay-1sec !all
> 
> Debug information from ext_delayer_acl is written to the cache log; I see the processes start up but they are not hit with any requests by Squid.  I also added %SRC %SRCPORT into the configuration, but that didn't seem to help either.
> 
> Would the developers be open to adding a configuration-based throttle to authentication responses, avoiding the need for an external helper?  Or alternatively, is there another way to slow down auth responses?  It's comprising about 90% of the log volume (450,000 requests/hr) in badly affected sites at the moment.
> 

This helper is the mechanism that we accepted. Anything else would be
far less useful.

I think the results you are getting show that the http_status ACL is not
working properly.

Can you get a "debug_options 28,5" cache.log trace and see if
"aclMatchHTTPStatus" is matching anything or "http-response-407" even
being tested?

Amos

More information about the squid-users mailing list