[squid-users] ICAP response to avoid backend
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 26 23:38:34 UTC 2024
On 26/02/24 06:52, Ed wrote:
> On 2024-02-24 17:26+0000, Ed wrote:
>> In varnish land this is doable in the vcl_miss hook, but I don't know
>> how to do that in squid.
>
> I think I found a way, but maybe there's a better method - I'd like to
> the cache_peer_access to apply to all backends, but this does seem to do
> what I was after:
>
> acl bad_foo req_header ICAPHEADER -i foobar
> cache_peer_access server_1 deny bad_foo
>
Assuming that an ICAP service is controlling whether the peers are to be
used that is the correct way.
However, if you have an ICAP service controlling whether a peer can be
used consider having the ICAP service just send Squid the final
response. There is a relatively huge amount of complexity, both in the
config and what Squid has to do slowing the transaction down just for
this maybe-a-HIT behaviour.
Alternatives to "cache_peer_access .. deny bad_foo" are:
A) "always_direct allow bad_foo",
If you want the request to be served, but using servers from a DNS
lookup instead of the configured cache_peer.
B) "miss_access deny bad_foo",
If you do not want the cache MISS to be answered at all.
It has been a while since I tested it, but IIRC with miss_access a
"deny_info" line may be used to change the default 403 error status into
another in the 200-599 status range. Which includes redirects,
retry-after, empty responses, and template pages responses ... whichever
suits your need best.
Cheers
Amos
More information about the squid-users
mailing list