[squid-dev] [PATCH] Some failed transactions are not logged

Eduard Bagdasaryan eduard.bagdasaryan at measurement-factory.com
Wed Jul 20 14:44:29 UTC 2016


 >   2016-07-20 7:36 GMT+03:00 Amos Jeffries <squid3 at treenet.co.nz>:
 >On 20/07/2016 5:01 a.m., Alex Rousskov wrote:
 >> On 07/19/2016 08:10 AM, Amos Jeffries wrote:
 >>> On 20/07/2016 1:44 a.m., Eduard Bagdasaryan wrote:
 >>>> 2016-07-19 16:17 GMT+03:00 Amos Jeffries:
 >>>>> Is this patch going to include the new config option to prevent 
logging
 >>>>> the new things? or do it in a followup?
 >>>>
 >>>> For now we are not planning to add this option(that is why 
initially the
 >>>> patch did not perform logging for "no-bytes" connections).
 >>>> Probably there should be a (new?) ACL, controlling number of received
 >>>> bytes(instead of separate option). If so, implementing this requires
 >>>> solving non-trivial separate task.
 >>
 >>> Okay. I was just thinking an on/off directive for now. So people could
 >>> restore the old behaviour, or go ahead with the new logs.
 >>
 >> An ACL is the right way to control what gets logged -- this is the
 >> access_log configuration interface we already support. If no existing
 >> ACL(s) can match the transactions we want users to be able to match,
 >> then we need to add more ACL(s). I suspect those new ACL(s) would be
 >> useful for more than logging.
 >>
 >> A new config directive is not something we can add "for now" -- it would
 >> have to be maintained for a long time while the overlap between the
 >> existing ACL-driven interface and the new directive will cause pains for
 >> developers, documentation writers, and admins.
 >>
 >>
 >> Which ACL(s) to add depends on the final version of the new logging
 >> code, requires careful thinking, and may require non-trivial
 >> development. We want to keep all of that outside this project scope.
 >> Amos, if we assume that this patch does not add new ACLs or directives,
 >> are you happy with what it logs now or do you want Eduard to exclude
 >> something?
 >>
 >
 >Hmm. Good point.
 >
 >The 'problem' with ACLs was not the lack of checks, it is that the URL
 >ones we already have use exclusively the HttpRequest URL and complain
 >when one is not existing. It might be easier to extend those to use the
 >error:* URL, in the same way the log itself is getting it for display.
 >
 >>
 >>> I'll give Alex another day to point out any issues, with intention to
 >>> apply this in ~24hrs.
 >>
 >> Thank you.
 >>
 >>
 >>> error:accept-user-connection
 >>
 >> vs. recently discussed
 >>
 >>> annotate_client or annotate_client_connection
 >>
 >> All of these are about the same kind of connection to a Squid
 >> protocol_port. Should we use "user" or "client"? I do not think just
 >> "annotate_user" works because folks will think it is about the
 >> [authenticated] user [agent] as a whole.
 >
 >Agreed. User is a specific subset of client. That 'does it require a
 >person' is the first filter I am applying whenever anyone suggests
 >"user" for anything.
 >
 >
 >> Thus, we have the following
 >> naming options:
 >>
 >> 1) error:accept-user-connection and annotate_user_connection
 >>
 >> 2) error:accept-client-connection and annotate_client
 >>
 >> 3) error:accept-client-connection and annotate_client_connection
 >>
 >>
 >> FYI: I found a few references to "user" and ~30 references to "client"
 >> in squid.conf directives and ACLS:
 >>
 >> * user_max_ip, user_cert, ext_user, ftp_user, and cache_effective_user;
 >>
 >> * client_dst_passthru, client_delay_*, *_uses_indirect_client,
 >> client_db, client_idle_pconn_timeout, client_ip_max_connections,
 >> client_lifetime, client_netmask, client_persistent_connections, and
 >> client_request_buffer_max_size.
 >>
 >> Given the above, (2) or (3) seems like a better choice. Amos, please
 >> pick one or confirm that you still want (1).
 >>
 >
 >My inbox(es) contain no mention of these annotate_client / annotate_user
 >you speak of being discussed. And my memory is also drawing a bank right
 >now.
 >
 >The latest proposed patch of this thread failed the filter mentioned
 >above for me. I'm asking for "error:accept-client-connection", which
 >would be (2) or (3) of your offered list.
 >
 >
 >>
 >>> +    // do not log connections that closed after a transaction (it 
is normal)
 >> ...
 >>> +    // XXX: TLS bytes are consumed without going through inBuf
 >>> +    // XXX: PROXY protocol bytes are consumed without going 
through inBuf
 >>> +    if (receivedFirstByte_ && inBuf.isEmpty())
 >>> +        return;
 >>
 >> Given the new condition, I would do:
 >>
 >>> // do not log connections that closed after a transaction (it is 
normal)
 >>> // TODO: access_log needs ACLs to match received-no-bytes connections
 >>> // XXX: TLS may return here even though we got no transactions yet
 >>> // XXX: PROXY protocol may return here even though we got no 
transactions yet
 >>> if (receivedFirstByte_ && inBuf.isEmpty())
 >>>     return;
 >>
 >
 >That works for me. +1.
 >
 >>
 >> I have not checked PROXY, but TLS is tricky because, AFAICT, it sets
 >> receivedFirstByte_ to true but may later _reset_ it back to false:
 >>
 >>> // Also reset receivedFirstByte_ flag to allow this timeout work in 
the case we
 >>> // a bumbed "connect" request on non transparent port.
 >>> receivedFirstByte_ = false;
 >>
 >> I would keep those XXXs vague until somebody investigates and addresses
 >> them completely. I suspect we will need to split receivedFirstByte_ into
 >> receivedFirstTransactionByte_ and receivedFirstRawByte_ or perhaps byte
 >> counters for each (and ACLs that can match their ranges).
 >
 >Nod. I had exactly that same thought. :-)

Amos,
just to clarify: any more touches from my side?


Eduard.


More information about the squid-dev mailing list