[squid-users] External ACL doesn't used

Alexeyяр Gruzdov my.shellac at gmail.com
Sun Jun 4 12:30:06 UTC 2023 

Hello Amos!

Thank you very much for you explanation!

To be honest I didn’t get really what this issue was. This was really
strange.

Because ttl option of my external acl is 10 sec ( I really need this value )

Also I tried restart my squid docker and server at whole - and this didn’t
help. I saw in the log just silence of calling of my external helper ACL.
But this ext ACL helper must to call for each proxy request…..


Then I just to solved to restore from backup and got it working again. I
tend to think that it is possible to change the config - although it looks
doubtful….


Ok!
Thanks again !

On Sat, 3 Jun 2023 at 14:30, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 3/06/2023 3:14 am, Alexeyяр Gruzdov wrote:
> > So.ok. Looks like this is misconfig....
> > I just restore from backup and now works well
> >
>
> Great to hear. I will answer your question below anyway to help avoid
> future issues...
>
> > пт, 2 июн. 2023 г. в 18:05, Alexeyяр Gruzdov:
> >
> >     Hello Guys!
> >
> >     Could you explain me case when the external acl couldn't to be run
> >     by squid.
> >
>
> There are three cases when an "external" type ACL has troubles:
>
>   1) when there are OS permission issues with the helper binary/script.
>
> This can show up as either Squid not being allowed to run the helper, or
> as the helper existing (maybe "crashing") when it tries to use forbidden
> resources.
>
> 2) when the ACL is being checked in a "fast" group (aka synchronous)
> access check
>
> The helper lookup is asynchronous, so does not work inn the synchronous
> checks. However there is a cache of previous helper checks which may
> have the result - so long as there is an identical previous lookup whose
> result has not yet reached its TTL, this cache can supply the answer. So
> external ACL can have the **appearance** of working in simple tests or
> some types of traffic.
>
> 3) when the ACL is used conditionally
>
> Squid helpers are only started as-needed. Immediately after startup
> there may be traffic that goes through which does not need to check the
> external ACL, so the helper does not get started for a while. Also, as
> mentioned above there is the helper cache, so at time there may also be
> traffic that gets answered by that instead of waiting on the helper
> lookup. At times both of these may be having an effect, for example
> after a helper crash/exit or reconfigure of Squid.
>
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230604/63d282c5/attachment.htm>

More information about the squid-users mailing list