[squid-users] Cache peer selection with duplicate host names

Mon Apr 24 02:57:45 UTC 2017

On 24/04/17 14:12, squid-users wrote:
> Hi Squid users,
>
> I'm having some trouble understanding Squid's peer selection algorithms, in
> a configuration where multiple cache_peer lines reference the same host.
>
> The background to this is that we wish to present cache service using
> multiple accounts at an upstream provider, with account selection taking
> place based on the local TCP port (8080, 8181, 8282) the request arrived on.
>
> First we define the cache peers:
>
> cache_peer proxy.myisp.net parent 8080 0 login=staffuser:abc123 no-query
> no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
> name=Staff
> cache_peer proxy.myisp.net parent 8080 0 login=guestuser:abc123 no-query
> no-digest no-netdb-exchange connect-timeout=1 connect-fail-limit=2
> name=Guest
> cache_peer proxy.myisp.net parent 8080 0 login=PASS no-query no-digest
> no-netdb-exchange connect-timeout=1 connect-fail-limit=2 name=Student
>
> Then lock access down:
>
> acl localport_Staff localport 8282
> acl localport_Guest localport 8181
> acl localport_Student localport 8080

localport is taken from the TCP connection arriving into Squid. It may 
be different to the Squid listening port.

So what are your http(s)_port lines ?

> cache_peer_access Staff allow localport_Staff !localport_Guest
> !localport_Student
> cache_peer_access Guest allow localport_Guest !localport_Staff
> !localport_Student
> cache_peer_access Student allow localport_Student !localport_Guest
> !localport_Staff

You do not need these !blah pieces. No single TCP connection can have 
multiple destination ports. So when one of your ACLs matches the others 
cannot be matches.

> To reproduce the error, first a connection is made with wget to tcp port
> 8282:
>
>    http_proxy=http://10.159.192.24:8282/ wget www.monash.edu --delete-after
>
> Squid selects the Staff profile as expected:
>
>    1492999376.993    811 10.159.192.26 TCP_MISS/200 780195 GET
> http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
> "Wget/1.12 (linux-gnu)"
>
> Then another connection is made, this time to port 8080:
>
>    http_proxy=http://10.159.192.24:8080/ wget www.monash.edu --delete-after
>
> But instead of the desired Student profile being selected, the Staff profile
> is still used instead:
>
>    1492999405.953    338 10.159.192.26 TCP_MISS/200 780195 GET
> http://www.monash.edu/ - FIRSTUP_PARENT/Staff text/html "EDU%20%20%20en"
> "Wget/1.12 (linux-gnu)"
>
> I had a look in the cache.log with debug_options 44,6 enabled.  None of the
> messages reference the contents of the name= parameter in the cache_peer
> lines; only hostnames and IP addresses are mentioned.  I suspect that the
> peer selection algorithms have changed since Squid 3.1, whereby peers are
> now selected based on hostname (or IP address) rather than the name defined
> in the cache_peer line.  Is this correct?

No the peer selection still works based on the name.  But that name now 
gets translated to a list of IP:port destinations that can be tried by 
the forwarding logic.

I think what you are seeing is the side effect of the peers all having 
the same IP:port details versus HTTP persistent connections. When the 
forwarding logic looks for an open persistent connection for the Student 
IP:port it might get handed the existing Staff connection - since they 
both have the same IP:port they are the same server as far as HTTP is 
concerned.

You could try turning persistence to servers off
<http://www.squid-cache.org/Doc/config/server_persistent_connections/>

... or using a different port for each of the cache_peer lines and 
NAPT'ing them on the outgoing TCP connections back to what the upstream 
peer actually uses.

Amos