[squid-users] annotation and fast / slow acl

FUSTE Emmanuel emmanuel.fuste at thalesgroup.com
Tue Jun 20 10:55:21 UTC 2017 

Hello,

I need to select a cache peer based on the user group.
As cache_peer_access need a fast acl to have predicable result, I tried to
- annotate transactions with "note"
- match the annotation with a fast acl
- use the acl in the cache_peer_access directive

But I still got warning about slow acl in use where fast are required.
I am missing something ?
I saw a proper configuration for something like that in the mailing list 
but no longer find it.

Log:

2017/06/20 12:13:37.024 kid1| 82,2| external_acl.cc(788) aclMatchExternal: ldap_group("anne.test ACCESINTERNET") = lookup needed
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(791) aclMatchExternal: "anne.test ACCESINTERNET": queueing a call.
2017/06/20 12:13:37.025 kid1| 28,2| Checklist.cc(123) goAsync: 0x7ffde8afc0e0 a fast-only directive uses a slow ACL!
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(793) aclMatchExternal: "anne.test ACCESINTERNET": no async support!
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(794) aclMatchExternal: "anne.test ACCESINTERNET": return -1.
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(788) aclMatchExternal: ldap_group("anne.test ACCESCHARGEDECOM") = lookup needed
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(791) aclMatchExternal: "anne.test ACCESCHARGEDECOM": queueing a call.
2017/06/20 12:13:37.025 kid1| 28,2| Checklist.cc(123) goAsync: 0x7ffde8afc0e0 a fast-only directive uses a slow ACL!
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(793) aclMatchExternal: "anne.test ACCESCHARGEDECOM": no async support!
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(794) aclMatchExternal: "anne.test ACCESCHARGEDECOM": return -1.
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(788) aclMatchExternal: ldap_group("anne.test INITIAL") = lookup needed
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(791) aclMatchExternal: "anne.test INITIAL": queueing a call.
2017/06/20 12:13:37.025 kid1| 28,2| Checklist.cc(123) goAsync: 0x7ffde8afc0e0 a fast-only directive uses a slow ACL!
2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(793) aclMatchExternal: "anne.test INITIAL": no async support!
2017/06/20 12:13:37.026 kid1| 82,2| external_acl.cc(794) aclMatchExternal: "anne.test INITIAL": return -1.

conf:

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8002        # multiling http
acl Safe_ports port 8080        # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
acl StandardUser external ldap_group ACCESINTERNET
acl VIPUser external ldap_group ACCESCHARGEDECOM
acl NoNetUser external ldap_group INITIAL
acl hostnoauth src "/etc/squid/hosts_noauth"
acl urlnoauth url_regex "/etc/squid/urls_noauth"

note profil StdUser StandardUser
note profil VIP VIPUser
note profil NoNet NoNetUser
acl match-StandardUser note profil StdUser
acl match-VIPUser note profil VIP
acl match-NoNetUser note profil NoNet

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow urlnoauth hostnoauth
http_access allow AuthorizedUsers
http_access deny all
http_port 3128
http_port 10.10.10.10:8080
http_port 10.10.10.10:8002
http_port 10.10.10.10:8001

nonhierarchical_direct off

cache_peer 10.10.10.10         parent   8080     0  name=server_std
cache_peer 10.10.10.10         parent   8002     0  name=server_vip
cache_peer 10.10.10.10         parent   8002     0  name=server_urlnoauth
cache_peer 127.0.0.1             parent     80     0  name=server_nonet

never_direct allow all
always_direct deny all

cache_peer_access server_std allow match-StandardUser
cache_peer_access server_std deny all
cache_peer_access server_vip allow match-VIPUser
cache_peer_access server_vip deny all
cache_peer_access server_nonet allow match-NoNetUser
cache_peer_access server_nonet deny all
cache_peer_access server_urlnoauth allow urlnoauth
cache_peer_access server_urlnoauth deny all
cache_mem 2048 MB

maximum_object_size_in_memory 50 MB
logformat squid [%tl] %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

debug_options ALL,2

More information about the squid-users mailing list