[squid-users] grouping multiple cache peers possible?

roee klinger roeeklinger60 at gmail.com
Wed Dec 22 19:29:05 UTC 2021 

>
> Consider merging multiple cache_peer_access rules for the same
> cache_peer into one rule (using all-of and any-of ACLs).


That is a great tip, thanks!

You can also outsource peer selection to an external ACL, leaving one
> simple cache_peer_access rule (with a single note ACL) for each
> cache_peer in squid.conf.


Actually, I am already doing this, however, there is still a long list of
cache_peer, cache_peer_access, cache_peer_deny rules, and note ACL rules,
to make sure every user goes to the right place, as you mentioned this is
not a CPU friendly approach either, so I will give serious thought
about modifying the Squid code.

Thank you,
Roee.

On Wed, Dec 22, 2021 at 8:53 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 12/22/21 11:56 AM, roee klinger wrote:
>
> > Currently, Squid is a bit problematic when dealing with many cach_peers,
> > it requires a lot of configurations for each cach_peer, which makes the
> > configuration file big and takes a performance toll.
>
> Consider merging multiple cache_peer_access rules for the same
> cache_peer into one rule (using all-of and any-of ACLs).
>
> You can also outsource peer selection to an external ACL, leaving one
> simple cache_peer_access rule (with a single note ACL) for each
> cache_peer in squid.conf.
>
> And with some Squid code modifications, one can even let an external ACL
> select the cache_peer to use without extra cache_peer_access checks.
> This feature would be similar to the existing X-Next-Services routing
> functionality in Squid adaptation code.
>
> Finally, one can invest into optimizing/fixing Squid code to eliminate
> unnecessary repeated cache_peer_access checks, probably saving a lot of
> CPU cycles for Squid instances with many (or complex) cache_peer_access
> rules.
>
>
> Cheers,
>
> Alex.
>
> > On Wed, Dec 22, 2021 at 6:44 PM Alex Rousskov wrote:
> >
> >     On 12/22/21 11:29 AM, roee klinger wrote:
> >     > cache_peer 100.70.162.11 parent 16211 0 proxy-only default
> >     name=proxy16211
> >     > cache_peer 100.70.162.12 parent 16212 0 proxy-only default
> >     name=proxy16212
> >     > cache_peer 100.70.162.13 parent 16213 0 proxy-only default
> >     name=proxy16213
> >     > acl peer_group_162 peername_regex -i proxy162.*\b
> >     >
> >     > Followed by:
> >     > cache_peer_access peer_group_162 allow admin162
> >
> >     According to documentation, the cache_peer_access directive requires
> a
> >     peer name (or a peer host name) as the second parameter. Your
> >     configuration is using a string "peer_group_162", which is not a
> name of
> >     any cache_peer.
> >
> >     AFAICT, while you can use peername_regex to _match_ a group of
> >     cache_peers, you still have to name a specific peer as the second
> >     parameter of the cache_peer_access rule. That effectively defeats the
> >     purpose of using peername_regex in this case! It was wrong for me to
> >     point you in peername_regex direction.
> >
> >     Your configuiration has to have at least one cache_peer_access rule
> for
> >     each cache_peer.
> >
> >
> >     Sorry,
> >
> >     Alex.
> >
> >
> >     > but I got an error:
> >     > ERROR: /etc/squid/conf.d/admin_allow_peer.conf, line 4: No
> cache_peer
> >     > 'peer_group_162'
> >     >
> >     > Should I use http_access instead? I am not sure how to use it,
> because
> >     > peer_group_162 is an ACL, not a cache_peer.
> >     >
> >     > Also, is my regex entry correct? I am not sure if \b is supported,
> and
> >     > if I should add the -i flag or not.
> >     >
> >     > Thanks alot.
> >     >
> >     > On Wed, Dec 22, 2021 at 5:27 PM Alex Rousskov wrote:
> >     >
> >     >     On 12/22/21 10:21 AM, roee klinger wrote:
> >     >
> >     >     > I have a group of about 6 cache peers:
> >     >     >
> >     >     >     cache_peer 100.70.162.11 parent 16211 0 proxy-only
> default
> >     >     name=proxy16211
> >     >     >     cache_peer 100.70.162.12 parent 16212 0 proxy-only
> default
> >     >     name=proxy16212
> >     >     >     cache_peer 100.70.162.13 parent 16213 0 proxy-only
> default
> >     >     name=proxy16213
> >     >     >
> >     >     >     cache_peer 100.70.163.11 parent 16311 0 proxy-only
> default
> >     >     name=proxy16311
> >     >     >     cache_peer 100.70.163.12 parent 16312 0 proxy-only
> default
> >     >     name=proxy16312
> >     >     >     cache_peer 100.70.163.13 parent 16313 0 proxy-only
> default
> >     >     name=proxy16313
> >     >     >
> >     >     >
> >     >     > I would like to allow user162_acl access only to the peers
> >     that ...
> >     >     > have a name that starts with proxy162
> >     >
> >     >     According to documentation, a peername_regex ACL can do what
> >     you want.
> >     >
> >     >     Alex.
> >     >     _______________________________________________
> >     >     squid-users mailing list
> >     >     squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>
> >     >     <mailto:squid-users at lists.squid-cache.org
> >     <mailto:squid-users at lists.squid-cache.org>>
> >     >     http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>
> >     >     <http://lists.squid-cache.org/listinfo/squid-users
> >     <http://lists.squid-cache.org/listinfo/squid-users>>
> >     >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20211222/e2c79bbf/attachment-0001.htm>

More information about the squid-users mailing list