[squid-dev] [PATCH] transaction_initiator ACL for detecting various unusual transactions
Amos Jeffries
squid3 at treenet.co.nz
Sat Jun 10 13:02:06 UTC 2017
On 08/06/17 22:41, Christos Tsantilas wrote:
> This ACL is essential in several use cases, including:
>
> * After fetching a missing intermediate certificate, Squid uses the
> regular cache (and regular caching rules) to store the response. Squid
> deployments that do not want to cache regular traffic need to cache
> fetched certificates and only them.
>
> acl fetched_certificate transaction_initiator certificate-fetching
> cache allow fetched_certificate
> cache deny all
>
> * Many traffic policies and tools assume the existence of an HTTP
> client behind every transaction. Internal Squid requests violate that
> assumption. Identifying internal requests protects external ACLs, log
> analysers, and other mechanisms from the transactions they mishandle.
>
> acl skip_logging transaction_initiator internal
> access_log ... !skip_logging
>
>
> The new transaction_initiator ACL classifies transactions based on
> their initiator. Currently supported initiators are esi,
> certificate-fetching, cache-digest, internal, client, and all. In the
> future, the same ACL will be able to identify HTTP/2 push transactions
> using the "server" initiator. See src/cf.data.pre for details.
>
> This is a Measurement Factory project.
+1, though could you please separate the redesign of urlParse*() API
from the ACL addition. They are changes that can be done in either order
and not interdependent. In fact the urlParse change is almost identical
to one of the steps already taken in the class URI refactoring branch
years back and long overdue being merged.
Amos
More information about the squid-dev
mailing list