[squid-users] External ACL doesn't used
Amos Jeffries
squid3 at treenet.co.nz
Sat Jun 3 09:30:35 UTC 2023
On 3/06/2023 3:14 am, Alexeyяр Gruzdov wrote:
> So.ok. Looks like this is misconfig....
> I just restore from backup and now works well
>
Great to hear. I will answer your question below anyway to help avoid
future issues...
> пт, 2 июн. 2023 г. в 18:05, Alexeyяр Gruzdov:
>
> Hello Guys!
>
> Could you explain me case when the external acl couldn't to be run
> by squid.
>
There are three cases when an "external" type ACL has troubles:
1) when there are OS permission issues with the helper binary/script.
This can show up as either Squid not being allowed to run the helper, or
as the helper existing (maybe "crashing") when it tries to use forbidden
resources.
2) when the ACL is being checked in a "fast" group (aka synchronous)
access check
The helper lookup is asynchronous, so does not work inn the synchronous
checks. However there is a cache of previous helper checks which may
have the result - so long as there is an identical previous lookup whose
result has not yet reached its TTL, this cache can supply the answer. So
external ACL can have the **appearance** of working in simple tests or
some types of traffic.
3) when the ACL is used conditionally
Squid helpers are only started as-needed. Immediately after startup
there may be traffic that goes through which does not need to check the
external ACL, so the helper does not get started for a while. Also, as
mentioned above there is the helper cache, so at time there may also be
traffic that gets answered by that instead of waiting on the helper
lookup. At times both of these may be having an effect, for example
after a helper crash/exit or reconfigure of Squid.
HTH
Amos
More information about the squid-users
mailing list