<div dir="auto">Thank you very much for you answer and explanation </div><div dir="auto"><br></div><div dir="auto">Yep, I don’t use name “proxy” for annotations, it was just for example only . </div><div dir="auto"><br></div><div dir="auto">Bets regards!</div><div dir="auto">Alexg</div><div dir="auto"><br></div><div dir="auto"><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 26 Apr 2023 at 18:34, Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">On 4/26/23 08:08, Alexeyяр Gruzdov wrote:<br>
> Oh... Looks like I just need to send as answer the list of my policy <br>
> acl, for example<br>
> <br>
> user1 wanted to go over peer1 and peer3<br>
> the answer from external script must be like "OK proxy=peer1 <br>
> proxy=peer3" and looks like it works well like I need. User will go <br>
> over peer1 and peer3 only by round-robin.<br>
<br>
Instead of sending N same-name annotations to Squid, please try sending <br>
one annotation with a coma-separated list of N values:<br>
<br>
proxy=peer1,peer3,peer4<br>
<br>
Rationale: Even if your current N-annotation setup "works", it is <br>
essentially relying on undefined and/or questionable behavior that may <br>
change. Using N-value annotations, you are avoiding that problem.<br>
<br>
The "note" ACL has -m option that tells Squid to interpret the <br>
annotation value as a list:<br>
<br>
acl cleared_for_peer1 note -m proxy peer1<br>
acl cleared_for_peer2 note -m proxy peer2<br>
...<br>
<br>
<br>
And, again, avoid using "proxy" as the annotation name: That name is <br>
currently reserved for Squid own use. Use "proxy_" or any other name <br>
ending with an underscore character. IMO, we should change the <br>
policy/code to be more admin-friendly, but that change may not happen <br>
for a long time, and modern Squids will warn you about reserved names <br>
like "proxy": <br>
<a href="https://github.com/squid-cache/squid/commit/27c36771bf145c2f8ca1efab6743b9e087867ab5" rel="noreferrer" target="_blank">https://github.com/squid-cache/squid/commit/27c36771bf145c2f8ca1efab6743b9e087867ab5</a><br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
<br>
> ср, 26 апр. 2023 г. в 15:40, Alexeyяр Gruzdov:<br>
> <br>
> Hello!<br>
> Yes!<br>
> Thank you!<br>
> <br>
> <br>
> One more question pls:<br>
> <br>
> For example I have five of cache_peers and ACL associated with some<br>
> cache peer.<br>
> As you know - I used the my external ACL script and now I can put<br>
> the policy to answer fo my script and squid will get an answer and<br>
> used the correct ACL for username.<br>
> For example answer is "OK proxy=peer1" and user will be used the<br>
> cache_peer1, or if "OK proxy=all" and user will go over all of<br>
> cache_peers by round-robin.<br>
> All works well.<br>
> But how I can put something like a list of ACL for user ? for<br>
> example I want that some one user can go over peer1 and peer3 only,<br>
> by round robin, but will be denied over peer2. peer4, peer5. Of<br>
> course better using external ACL (as DB ). What do you think?<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> пн, 24 апр. 2023 г. в 18:07, Alex Rousskov<br>
> <<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a><br>
> <mailto:<a href="mailto:rousskov@measurement-factory.com" target="_blank">rousskov@measurement-factory.com</a>>>:<br>
> <br>
> On 4/23/23 14:28, Alexeyяр Gruzdov wrote:<br>
> <br>
> > One more may be last thing: - I found the strange behavior <br>
> - if I make<br>
> > changes at my ext ACL script (its python ) and then "squid -k<br>
> > reconfigure" then I can see that my script appears in the<br>
> "TOP" of<br>
> > process and loads CPU to 100%<br>
> <br>
> Check how your ACL script reacts to stdin closure/EOF. The<br>
> script should<br>
> quit but probably does not. Same for any stdin reading errors.<br>
> On EOF,<br>
> the script should use exit code zero. All these things are easy<br>
> to test<br>
> on the command line (without Squid).<br>
> <br>
> Alex.<br>
> <br>
> > вс, 23 апр. 2023 г. в 16:36, Amos Jeffries<br>
> <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a> <mailto:<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>><br>
> > <mailto:<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a> <mailto:<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>>>>:<br>
> ><br>
> > On 23/04/2023 5:27 pm, Alexeyяр Gruzdov wrote:<br>
> > > Hello Guys!<br>
> > > Thank you very much! For now all works like I needed!<br>
> > ><br>
> > > But I have an one more questions about how I could to<br>
> use the<br>
> > kv-pair:<br>
> > ...<br>
> > > and then ACL with “note proxy all “<br>
> > > But how the kv-pair must to be looked for this my tag ?<br>
> > ><br>
> > > I have tried to get answer from my ext script like<br>
> > > “OK”<br>
> > > “proxy=all”<br>
> > ><br>
> > > But looks like it’s not correct<br>
> > ><br>
> ><br>
> > This part of the instructions were missed:<br>
> ><br>
> <a href="https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols</a> <<a href="https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols</a>><br>
> > <br>
> <<a href="https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols</a> <<a href="https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols</a>>><br>
> > "<br>
> > For every line sent by Squid exactly one line is expected<br>
> back. Some<br>
> > script language such as perl and python need to be<br>
> careful about the<br>
> > number of newlines in their output.<br>
> > "<br>
> ><br>
> > If your helper received something like this (with concurrency<br>
> > channel-id<br>
> > "1"):<br>
> ><br>
> > "1 bob 192.0.2.1"<br>
> ><br>
> > It should produce a line like:<br>
> > "1 OK proxy=all"<br>
> ><br>
> > If no concurrency channel-id is received, then output is<br>
> the same but<br>
> > without sending channel-id back and MUST be sent in same<br>
> order as<br>
> > received.<br>
> ><br>
> > I do recommend using concurrency. It can help further<br>
> debug issues with<br>
> > helpers responding incorrectly.<br>
> ><br>
> > HTH<br>
> > Amos<br>
> ><br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>>><br>
> > <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>><br>
> > <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>>><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > squid-users mailing list<br>
> > <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> > <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>><br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <mailto:<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a>><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
> <<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a>><br>
> <br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div>