[squid-dev] A new 'has' ACL

Amos Jeffries squid3 at treenet.co.nz
Mon May 1 04:03:34 UTC 2017 

On 01/05/17 01:05, Eduard Bagdasaryan wrote:
> Hello,
>
>
> I am working on a new 'has' ACL:
>
>   acl aclname has <component>
>
> where "component" is one of the following three tokens: request, 
> response, or ALE.
> For example:
>
>   acl hasRequest has request
>
> Multiple components on one ACL line are not supported because they
> would have to be ORed and ORing components would probably go against
> admin expectaions in most cases:
>
>   acl hasWhatMyLoggingDaemonNeeds has request response # XXX: Likely 
> to be wrong!
>
> Multiple same-name ACL lines would still be ORed to support arguably
> rare use cases where ORing is appropriate:
>
>   # OK, this strange logging daemon needs request or response,
>   # but can work without either a request or a response:
>   acl hasWhatMyLoggingDaemonNeeds has request
>   acl hasWhatMyLoggingDaemonNeeds has response
>
> This new ACL addresses a TODO in item #3 of trunk revision 14752,
> adding that 'missing' configuration option.
>
> For example, the following configuration:
>
>   acl logMe note important_transaction
>   access_log ... logformat=detailed logMe
>
> gives such 'noise' warning messages:
>
>   2017/01/06 12:54:46 kid2| WARNING: logMe ACL is used in context 
> without an HTTP request. Assuming mismatch.
>   2017/01/06 12:54:46 kid1| WARNING: logMe ACL is used in context 
> without an HTTP request. Assuming mismatch.
>
> Once the "has" ACL is available, the admin can do either:
>
>   acl logMe note important_transaction
>   access_log ... logformat=detailed hasRequest logMe
>
>   or even
>
>   acl logMe note important_transaction
>   access_log ... logformat=detailed hasRequest logMe
>   access_log ... logformat=brief !hasRequest logMe
>
>  If you think these specs miss something important, let's discuss.
>

Thank you for working on this.


Is there an explicit need you have found for ALE to be on the component 
list?
Since ALE is currently standing in as a "master transaction" object for 
most of the Squid code. It needs to be either created or 
provided/fetched from elsewhere whenever it is used. Having an ACL that 
bypasses that would defeat bug-finding of places where it is broken.

Amos

More information about the squid-dev mailing list