[squid-users] Possible to user reply_header_add directive with acl random access list ?

--Ahmad-- ahmed.zaeem at netstream.ps
Wed Jul 17 11:55:13 UTC 2019 

Hi Amos , Thank you for you info .

indeed i read about reply header ACL That :

##############################################
One or more Squid ACLs may be specified to restrict header
	injection to matching responses. As always in squid.conf, all
	ACLs in the ACL list must be satisfied for the insertion to
	happen. The reply_header_add option supports fast ACLs only.

	See also: request_header_add.
#################################################

im not sure what do i need to let the output single value and not multiple values .

about your Question :
> 1- why mutiple replies do we recieve not single reply ?

What do you mean by "multiple replies" ?
————> i mean i would like the result to be as below :

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: A
< 
12.13.100.1
* Connection #0 to host 12.13.100.250 left intact



* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: B
< 
12.13.100.2
* Connection #0 to host 12.13.100.250 left intact




* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: C
< 
12.13.100.3
* Connection #0 to host 12.13.100.250 left intact


* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: D
< 
12.13.100.4
* Connection #0 to host 12.13.100.250 left intact



###############################################


Check the 4 tests above … those i want the result to be .
if i have external ip 12.13.100.4 , the Header should  be single and = < start: D
if i go external 12.13.100.3 ,the Header should  be single and = < start: C
if i go external 12.13.100.2 ,the Header should  be single and = < start: B
if i go external 12.13.100.1 ,the Header should  be single and = < start: B


SO basically i want 1 answer matching the acl :

acl half10000 random 1/10
acl half10001 random 1/9
acl half10002 random 1/8
acl half10003 random 1/7
acl half10004 random 1/6
acl half10005 random 1/5
acl half10006 random 1/4
acl half10007 random 1/3
acl half10008 random 1/2
acl half10009 random 1/1



as  you see above the ACLS above should be matching single values not multiple values .

and when i get multiple headers replies it doesnt satisfying my needs .


what do you think amos ?


Thanks agian 


> On 17 Jul 2019, at 14:42, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 17/07/19 9:41 pm, --Ahmad-- wrote:
>> Hi Alex, 
>> acl half10000 random 1/10
>> acl half10001 random 1/9
>> acl half10002 random 1/8
>> acl half10003 random 1/7
>> acl half10004 random 1/6
>> acl half10005 random 1/5
>> acl half10006 random 1/4
>> acl half10007 random 1/3
>> acl half10008 random 1/2
>> acl half10009 random 1/1
>> ########################################
>> reply_header_add start "A" half10000
>> reply_header_add start "B" half10001
>> reply_header_add start "C" half10002
>> reply_header_add start "D" half10003
>> reply_header_add start "E" half10004
>> reply_header_add start "F" half10005
>> reply_header_add start "G" half10006
>> reply_header_add start "H" half10007
>> reply_header_add start "I" half10008
>> reply_header_add start "J" half10009
>> ##############################
>> tcp_outgoing_address 12.13.100.1 half10000
>> tcp_outgoing_address 12.13.100.2 half10001
>> tcp_outgoing_address 12.13.100.3 half10002
>> tcp_outgoing_address 12.13.100.4 half10003
>> tcp_outgoing_address 12.13.100.5 half10004
>> tcp_outgoing_address 12.13.100.6 half10005
>> tcp_outgoing_address 12.13.100.7 half10006
>> tcp_outgoing_address 12.13.100.8 half10007
>> tcp_outgoing_address 12.13.100.9 half10008
>> tcp_outgoing_address 12.13.100.10 half10009
>> 
>> 
>> 
>> curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v
>> 
>> * Rebuilt URL to: ifconfig.io/
>> *   Trying 12.13.100.250...
>> * TCP_NODELAY set
>> * Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
>> * Proxy auth using Basic with user 'hi'
>>> GET http://ifconfig.io/ HTTP/1.1
>>> Host: ifconfig.io
>>> Proxy-Authorization: Basic YmVuOmJlbg==
>>> User-Agent: curl/7.54.0
>>> Accept: */*
>>> Proxy-Connection: Keep-Alive
>>> 
>> < HTTP/1.1 200 OK
>> < Date: Wed, 17 Jul 2019 09:34:57 GMT
>> < Content-Type: text/plain; charset=utf-8
>> < Content-Length: 40
>> < Connection: keep-alive
>> < start: G
>> < start: F
>> < start: E
>> < start: E
>> < 
>> 12.13.100.2 
>> * Connection #0 to host 12.13.100.250 left intact
>> 
> 
> That reply does look strange. "E" should only occur once, and "J" is
> missing.
> 
> 
>> 
>> another Hit :
>> 
>> 
>> curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v
>> 
>> * Rebuilt URL to: ifconfig.io/
>> *   Trying 12.13.100.250...
>> * TCP_NODELAY set
>> * Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
>> * Proxy auth using Basic with user 'hi'
>>> GET http://ifconfig.io/ HTTP/1.1
>>> Host: ifconfig.io
>>> Proxy-Authorization: Basic YmVuOmJlbg==
>>> User-Agent: curl/7.54.0
>>> Accept: */*
>>> Proxy-Connection: Keep-Alive
>>> 
>> < HTTP/1.1 200 OK
>> < Date: Wed, 17 Jul 2019 09:34:57 GMT
>> < Content-Type: text/plain; charset=utf-8
>> < Content-Length: 40
>> < Connection: keep-alive
>> < start: F
>> < start: A
>> < start: J
>> < start: I
>> < 
>> 12.13.100.6
>> 
>> 
>> 
>> so as you see above , i have multiple replied headers not single one .
>> and the replied header even are wrong .
>> so wrong multiple results i do recieve .
>> 
> 
> reply_header_add does not stop with the first matching line like
> http_access. Each is checked to see if that value is to be added.
> 
> So naturally each letter has a random chance of being added.
> 
> In other words;
> You have configured Squid to add the header "start" between 0 and 10
> times, with a selection of letters.
> 
> 
> The tcp_outgoing_address check for which IP address to use is
> independent of what headers are added. That directive *does* stop on
> first matching line.
> 
> 
>> 
>> my questions is :
>> 
>> 1- why mutiple replies do we recieve not single reply ?
> 
> What do you mean by "multiple replies" ?
> 
> 
>> 2- why the recieved replies are wrong , i expect single reply based on my random acls we setup . ?
>> 
> 
> Every time a "random" type ACL is tested a new random number is selected
> and checked against the match:non-match ratio you configure.
> 
> 
> 
>> do we need other stuff with random acl to have it work with header directive ?
>> 
> 
> The ACL works as designed. You appear to have missed the fact that each
> check/test of the ACL uses a different randomly selected number.
> 
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users <http://lists.squid-cache.org/listinfo/squid-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190717/c9c5952c/attachment-0001.html>

More information about the squid-users mailing list