[squid-users] How to use "cache", "store_miss" and "send_hit" directives?

Alex Rousskov rousskov at measurement-factory.com
Thu Oct 17 02:18:17 UTC 2019


On 10/16/19 7:17 PM, Robert Senger wrote:

> I need to encrypt browser->squid connection (on mobile devices). With
> squid 3.x, I used stunnel client on the mobile device and stunnel
> server on squid's machine. With squid 4.6, I wanted to get rid of
> stunnel server and use squid's https_port directive instead, but
> https_port + sslbump did not go together. So, I created a loop that
> forwarded https_port connections with a cache_peer directive to squid's
> own http_port. 

IIRC, this trick also creates problems for built-in cache_peer checks
that may fail because those checks start before Squid starts listening
on its own ports. This problem may be specific to SMP setups. YMMV.


> That worked, except for caching... The http_port ACLs
> never matched in the cache directive, instead, the https_port ACLs did,
> but that is not what I want and need. Some coincidence made that
> tcp_outgoing_address matched and routing was correct, anyway.


AFAICT, bugs notwithstanding, those ACLs should have matched in the
"cache" directive context, especially if they actually matched in the
tcp_outgoing_address context later.

Alex.



> Am Mittwoch, den 16.10.2019, 11:38 -0400 schrieb Alex Rousskov:
>> On 10/16/19 10:38 AM, Robert wrote:
>>
>>> after upgrading to 4.6 from 3.x
>>> I am struggling with caching objects. The goal is, to have objects
>>> requested by proxy-basic clients not to be cached, but objects
>>> requested by proxy-standard to be cached normally.
>>>
>>> Tried this:
>>>
>>>   cache deny proxy-basic
>>>   cache allow all
>>>
>>> And this:
>>>
>>>   cache allow proxy-standard
>>>   cache deny all
>>
>> Based on your description, you probably want the former or its
>> simpler
>> version:
>>
>>     cache deny proxy-basic
>>
>>
>>> If I use ANY "cache ___" directive other than a (useless) "cache
>>> allow
>>> all", caching is completely disabled for all ACLs.
>>
>> FYI: Squid does not (yet) treat the "all" ACL specially -- Squid does
>> not ignore or automatically apply seemingly "useless" rules with it.
>> If
>> you are getting correct results with "allow all" and incorrect
>> results
>> with "allow foo", then your foo ACL does not match (in that specific
>> context). Why it does not match is a separate question.
>>
>>
>>> What am I doing wrong?
>>
>> Nothing that warrants discussing here IMO. I suggest trying the
>> latest
>> v4 release and, if the problem is still there, filing a bug report.
>> If
>> you can share a compressed ALL,7+ cache.log while reproducing the
>> problem with a single transaction, we may be able to triage this
>> problem
>> faster. Squid wiki has instructions at
>> https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>>
>>
>> HTH,
>>
>> Alex.
>>
>>> I am using ACLs for different handling of clients connecting to
>>> different local ports:
>>>
>>>   acl proxy-basic localip 172.16.2.243
>>>   acl proxy-standard localip 172.16.3.243
>>>
>>> These ACLs are used to determine outgoing address, which are routed
>>> to
>>> different outgoing interfaces like this:
>>>
>>>   tcp_outgoing_address 172.16.3.244 proxy-basic
>>>   tcp_outgoing_address 172.16.4.244 proxy-standard
>>>
>>> This works as desired.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list