[squid-users] annotation and fast / slow acl

FUSTE Emmanuel emmanuel.fuste at thalesgroup.com
Tue Jun 20 11:02:56 UTC 2017 

Le 20/06/2017 à 12:55, FUSTE Emmanuel a écrit :
> Hello,
>
> I need to select a cache peer based on the user group.
> As cache_peer_access need a fast acl to have predicable result, I tried to
> - annotate transactions with "note"
> - match the annotation with a fast acl
> - use the acl in the cache_peer_access directive
>
> But I still got warning about slow acl in use where fast are required.
> I am missing something ?
> I saw a proper configuration for something like that in the mailing list
> but no longer find it.
>
> Log:
>
> 2017/06/20 12:13:37.024 kid1| 82,2| external_acl.cc(788) aclMatchExternal: ldap_group("anne.test ACCESINTERNET") = lookup needed
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(791) aclMatchExternal: "anne.test ACCESINTERNET": queueing a call.
> 2017/06/20 12:13:37.025 kid1| 28,2| Checklist.cc(123) goAsync: 0x7ffde8afc0e0 a fast-only directive uses a slow ACL!
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(793) aclMatchExternal: "anne.test ACCESINTERNET": no async support!
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(794) aclMatchExternal: "anne.test ACCESINTERNET": return -1.
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(788) aclMatchExternal: ldap_group("anne.test ACCESCHARGEDECOM") = lookup needed
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(791) aclMatchExternal: "anne.test ACCESCHARGEDECOM": queueing a call.
> 2017/06/20 12:13:37.025 kid1| 28,2| Checklist.cc(123) goAsync: 0x7ffde8afc0e0 a fast-only directive uses a slow ACL!
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(793) aclMatchExternal: "anne.test ACCESCHARGEDECOM": no async support!
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(794) aclMatchExternal: "anne.test ACCESCHARGEDECOM": return -1.
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(788) aclMatchExternal: ldap_group("anne.test INITIAL") = lookup needed
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(791) aclMatchExternal: "anne.test INITIAL": queueing a call.
> 2017/06/20 12:13:37.025 kid1| 28,2| Checklist.cc(123) goAsync: 0x7ffde8afc0e0 a fast-only directive uses a slow ACL!
> 2017/06/20 12:13:37.025 kid1| 82,2| external_acl.cc(793) aclMatchExternal: "anne.test INITIAL": no async support!
> 2017/06/20 12:13:37.026 kid1| 82,2| external_acl.cc(794) aclMatchExternal: "anne.test INITIAL": return -1.
>
> conf:
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 8002        # multiling http
> acl Safe_ports port 8080        # multiling http
> acl CONNECT method CONNECT
> acl AuthorizedUsers proxy_auth REQUIRED
> acl StandardUser external ldap_group ACCESINTERNET
> acl VIPUser external ldap_group ACCESCHARGEDECOM
> acl NoNetUser external ldap_group INITIAL
> acl hostnoauth src "/etc/squid/hosts_noauth"
> acl urlnoauth url_regex "/etc/squid/urls_noauth"
>
> note profil StdUser StandardUser
> note profil VIP VIPUser
> note profil NoNet NoNetUser
> acl match-StandardUser note profil StdUser
> acl match-VIPUser note profil VIP
> acl match-NoNetUser note profil NoNet
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access allow urlnoauth hostnoauth
> http_access allow AuthorizedUsers
> http_access deny all
> http_port 3128
--------
> http_port 10.10.10.10:8080
> http_port 10.10.10.10:8002
> http_port 10.10.10.10:8001
Forget this block : anonymization  error....
-------
>
> nonhierarchical_direct off
>
> cache_peer 10.10.10.10         parent   8080     0  name=server_std
> cache_peer 10.10.10.10         parent   8002     0  name=server_vip
> cache_peer 10.10.10.10         parent   8002     0  name=server_urlnoauth
> cache_peer 127.0.0.1             parent     80     0  name=server_nonet
>
> never_direct allow all
> always_direct deny all
>
> cache_peer_access server_std allow match-StandardUser
> cache_peer_access server_std deny all
> cache_peer_access server_vip allow match-VIPUser
> cache_peer_access server_vip deny all
> cache_peer_access server_nonet allow match-NoNetUser
> cache_peer_access server_nonet deny all
> cache_peer_access server_urlnoauth allow urlnoauth
> cache_peer_access server_urlnoauth deny all
> cache_mem 2048 MB
>
> maximum_object_size_in_memory 50 MB
> logformat squid [%tl] %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
>
> debug_options ALL,2
>

More information about the squid-users mailing list