[squid-dev] [PATCH] External ACL helpers error handling & caching
Christos Tsantilas
christos at chtsanti.net
Mon Jan 9 11:49:19 UTC 2017
The helper protocol for external ACLs [1] defines three possible return
values:
OK - Success. ACL test matches.
ERR - Success. ACL test fails to match.
BH - Failure. The helper encountered a problem.
The external acl helpers distributed with squid currently doesn't follow
this definition. For example, upon connection error, ERR is returned:
$ ext_ldap_group_acl ... -d
ext_ldap_group_acl: WARNING: could not bind to binddn 'Can't contact
LDAP server'
ERR
This is does not allow to distinguish "no match" and "error" either
and therefore negative caches "ERR", also in the case of an error.
Moreover there are multiple problems inside squid when trying to handle
BH responses:
- Squid-5 and squid-4 retries requests for BH responses but crashes
after the maximum retry number (currently 2) is reached.
- If an external acl helper return always BH (eg because the LDAP
server is down) squid sends infinitely new request to the helper.
This patch fixes the problems described above.
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-260-ext_ldap_group_acl-error-handling-t2.patch
Type: text/x-patch
Size: 47288 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170109/563b9cb3/attachment-0001.bin>
More information about the squid-dev
mailing list