[squid-users] Advice on Cache Peer ACLs

Alex Rousskov rousskov at measurement-factory.com
Fri Aug 30 17:41:53 UTC 2019


On 8/30/19 11:44 AM, creditu at eml.cc wrote:
> We use several squid servers in accelerator mode for load balancing to send public requests to backend servers.   The squids don't do any caching, they just forward requests to the backend. 
> 
> We have cache_peer directives to send the incoming requests to the backend Apache servers.  What I need to do is send requests to a certain page to a specific backend server and all others to the  other backends.  The site has many pages, subpages etc.  
> 
> What I want to do is if someone requests:
> https://www.example.com/anything/anything/script.php   or https://origin-www.example.com/anything/anything/etc/etc/script.php
> 
> Send the request to only .1, .2,.3.
> 
> If someone requests :
> https://www.example.com/anything/tst/map2/script.php   or https://origin-www.example.com/anything/anything/tst/map1/etc/script.php
> 
> Send that request only to .4 and .5.
> 
> It seems to work most of the time, but tailing the access logs on the servers I sometimes see one of the requests for ../tst/map2/... or map1 show up on .1,.2, or .3.  


Do Squid access logs have the corresponding records as well? What cache
peer selection algorithm does Squid record for those misdirected
transactions?


> Is there something I'm missing?

Could Squid go direct to one of those origin servers (e.g., when all
eligible cache peers were down)?

BTW, please note that your cache_peer_access rules look inconsistent:
Your cache_peer_access .1-3 rules require certain domain names but .4-5
rules do not. This does not explain the discrepancy you are describing
above, but you may want to adjust your rules for consistency sake
(either to ignore dstdomain completely or to require correct domains for
all cache peers).


HTH,

Alex.


> acl all_requests dstdomain -n www.example.com origin-www.example.com
> acl limited  url_regex -i /tst/map1|/tst/map2
> 
> 
> cache_peer 192.168.1.1 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin
> cache_peer_access 192.168.1.1 deny limited
> cache_peer_access 192.168.1.1 allow all_requests
> cache_peer_access 192.168.1.1 deny all
> 
> cache_peer 192.168.1.2 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin
> cache_peer_access 192.168.1.2 deny limited
> cache_peer_access 192.168.1.2 allow all_requests
> cache_peer_access 192.168.1.2 deny all
> 
> cache_peer 192.168.1.3 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin
> cache_peer_access 192.168.1.3 deny limited
> cache_peer_access 192.168.1.3 allow all_requests
> cache_peer_access 192.168.1.3 deny all
> 
> cache_peer 192.168.1.4 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin
> cache_peer_access 192.168.1.4 allow limited
> cache_peer_access 192.168.1.4 deny all
> 
> cache_peer 192.168.1.5 parent 80 0 no-query no-digest connect-fail-limit=10 weight=1 originserver round-robin
> cache_peer_access 192.168.1.5 allow limited
> cache_peer_access 192.168.1.5 deny all


More information about the squid-users mailing list