[squid-dev] Validate Config before reload

[Francesco Chemolli]

On Mon, Sep 23, 2024 at 1:27 PM Stuart Henderson
<stu.lists at spacehopper.org> wrote:
>
> On 2024-09-23, Rick Rackow <rick at rackow.io> wrote:
> > Hey Team,
> > We have the following scenario: we get a list of IPs from an external service, add them to our squid ACLs via a cronjob and then in the same cronjob also reload squid. In this scenario it can happen that occasionally we get some nonsense response from the external service and that lands in the config, causing the config file to be invalid. Now if we to `systemctl reload squid` squid crashes on the restart because the config is invalid and thereafter can’t be restarted without explicitly stating `systemctl start squid`.
> >
> > The question is, has it been considered to validate the config file before performing the actual reload, so there’s no disruption to squid if there was a working config beforehand?
>
> That's easy to do from your cronjob: write the new config to a temporary
> file, check it with "squid -f $filename -k parse", only move into place
> and reload if ok.

Note however that will only protect from malformed configuration
candidates, not from configuration candidates that, while being
syntactically well formed, contain gibberish. For that you probably
want to do something like having some guard values that, if not
present, alert fail the reconfigure test.


-- 
    Francesco