<div dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Consider merging multiple cache_peer_access rules for the same<br>cache_peer into one rule (using all-of and any-of ACLs).</blockquote><div><br></div><div>That is a great tip, thanks!</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">You can also outsource peer selection to an external ACL, leaving one<br>simple cache_peer_access rule (with a single note ACL) for each<br>cache_peer in squid.conf.</blockquote><div><br></div><div>Actually, I am already doing this, however, there is still a long list of cache_peer, cache_peer_access, cache_peer_deny rules, and note ACL rules,<br></div><div>to make sure every user goes to the right place, as you mentioned this is not a CPU friendly approach either, so I will give serious thought</div><div>about modifying the Squid code.</div><div><br></div><div>Thank you,</div><div>Roee.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 22, 2021 at 8:53 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 12/22/21 11:56 AM, roee klinger wrote:<br>
<br>
> Currently, Squid is a bit problematic when dealing with many cach_peers, <br>
> it requires a lot of configurations for each cach_peer, which makes the<br>
> configuration file big and takes a performance toll.<br>
<br>
Consider merging multiple cache_peer_access rules for the same<br>
cache_peer into one rule (using all-of and any-of ACLs).<br>
<br>
You can also outsource peer selection to an external ACL, leaving one<br>
simple cache_peer_access rule (with a single note ACL) for each<br>
cache_peer in squid.conf.<br>
<br>
And with some Squid code modifications, one can even let an external ACL<br>
select the cache_peer to use without extra cache_peer_access checks.<br>
This feature would be similar to the existing X-Next-Services routing<br>
functionality in Squid adaptation code.<br>
<br>
Finally, one can invest into optimizing/fixing Squid code to eliminate<br>
unnecessary repeated cache_peer_access checks, probably saving a lot of<br>
CPU cycles for Squid instances with many (or complex) cache_peer_access<br>
rules.<br>
<br>
<br>
Cheers,<br>
<br>
Alex.<br>
<br>
> On Wed, Dec 22, 2021 at 6:44 PM Alex Rousskov wrote:<br>
> <br>
> On 12/22/21 11:29 AM, roee klinger wrote:<br>
> > cache_peer 100.70.162.11 parent 16211 0 proxy-only default<br>
> name=proxy16211<br>
> > cache_peer 100.70.162.12 parent 16212 0 proxy-only default<br>
> name=proxy16212<br>
> > cache_peer 100.70.162.13 parent 16213 0 proxy-only default<br>
> name=proxy16213<br>
> > acl peer_group_162 peername_regex -i proxy162.*\b<br>
> ><br>
> > Followed by:<br>
> > cache_peer_access peer_group_162 allow admin162<br>
> <br>
> According to documentation, the cache_peer_access directive requires a<br>
> peer name (or a peer host name) as the second parameter. Your<br>
> configuration is using a string "peer_group_162", which is not a name of<br>
> any cache_peer.<br>
> <br>
> AFAICT, while you can use peername_regex to _match_ a group of<br>
> cache_peers, you still have to name a specific peer as the second<br>
> parameter of the cache_peer_access rule. That effectively defeats the<br>
> purpose of using peername_regex in this case! It was wrong for me to<br>
> point you in peername_regex direction.<br>
> <br>
> Your configuiration has to have at least one cache_peer_access rule for<br>
> each cache_peer.<br>
> <br>
> <br>
> Sorry,<br>
> <br>
> Alex.<br>
> <br>
> <br>
> > but I got an error:<br>
> > ERROR: /etc/squid/conf.d/admin_allow_peer.conf, line 4: No cache_peer<br>
> > 'peer_group_162'<br>
> ><br>
> > Should I use http_access instead? I am not sure how to use it, because<br>
> > peer_group_162 is an ACL, not a cache_peer.<br>
> ><br>
> > Also, is my regex entry correct? I am not sure if \b is supported, and<br>
> > if I should add the -i flag or not.<br>
> ><br>
> > Thanks alot.<br>
> ><br>
> > On Wed, Dec 22, 2021 at 5:27 PM Alex Rousskov wrote:<br>
> ><br>
> > On 12/22/21 10:21 AM, roee klinger wrote:<br>
> ><br>
> > > I have a group of about 6 cache peers:<br>
> > ><br>
> > > cache_peer 100.70.162.11 parent 16211 0 proxy-only default<br>
> > name=proxy16211<br>
> > > cache_peer 100.70.162.12 parent 16212 0 proxy-only default<br>
> > name=proxy16212<br>
> > > cache_peer 100.70.162.13 parent 16213 0 proxy-only default<br>
> > name=proxy16213<br>
> > ><br>
> > > cache_peer 100.70.163.11 parent 16311 0 proxy-only default<br>
> > name=proxy16311<br>
> > > cache_peer 100.70.163.12 parent 16312 0 proxy-only default<br>
> > name=proxy16312<br>
> > > cache_peer 100.70.163.13 parent 16313 0 proxy-only default<br>
> > name=proxy16313<br>
> > ><br>
> > ><br>
> > > I would like to allow user162_acl access only to the peers<br>
> that ...<br>
> > > have a name that starts with proxy162<br>
> ><br>
> > According to documentation, a peername_regex ACL can do what<br>
> you want.<br>
> ><br>
> > Alex.<br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>>><br>
> > <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>>><br>
> ><br>
> <br>
<br>
</blockquote></div>