On Mon, 17 Apr 2000, Murphy Terrance M wrote:
]Can someone point me to some info on using dst_as acl's to use another
]cache for certain domains?
Autonomous systems (AS) are unrelated to domains. Ok, yes, you could
possibly combine a dst_as and a dstdomain ACL for cache routing.
]I see the info in the squid.conf default, but I don't see how to define
]the destination domain with reference to the AS number that is used to
]define the acl.
Ok, I will show it with the current scenario at the new German Research
Network caches:
I don't want my sibling caches to ask me for objects from my own
autonomous system(s) - regardless of any domain name - because the
backbone is (mostly) fast enough for them to fetch within-AS objects
themselves. Experience has shown that for most within-AS objects, latency
is also decreased. Also, I don't want to spend cache space on such "cheap"
objects.
Using networks would have me type in over 300 networks, and update them
regularly. Not feasible! Using domain names would use some very odd
constructs which does not catch all, or catches too many domains; as a
basic rule: de != de
Therefore, I recommend to my sibling caches to use the following constructs
when configuring their caches (several steps involved):
-- acl whois proto whois always_direct allow whois First of all, you have to tell any Squid >= 2.3 to go directly for fetching whois objects. Otherwise, it will query a parent using a "whois://" scheme, which most parents, including Squid, do not (correctly) answer to. as_whois_server <any.radb.compatible.mirror> If you life close enough to the US, you need *not* configure the as_whois_server - the RA whois server is default. Otherwise, I would strongly suggest to set up your own RADB service/mirror, for software and instructions see: http://www.irrd.net/ The daemon *must* be capable of answering to the extended RA syntax. You can check any daemon in your vicinity like this: > $ telnet <your.whois.server> 43 Trying .... Connected to ... Escape character is '^]'. > !gas3 < A42 < 192.233.33.0/24 18.0.0.0/8 128.52.0.0/16 < C Connection closed by foreign host. ">" is what you type (ok, "$" is your shell prompt), and "<" is what the server answers. If you do not see any CIDR networks as answer, the daemon is not capable of the extended RA syntax, and can *not* be used for Squid. For instance, the RIPE daemon can *not* be used for Squid. Try another. acl dst_dfn dst_as 553 1275 1754 5520 8450 always_direct allow dst_dfn Finally, the dst_dfn ACL above contains the known AS numbers (ASNs) from the German research network - yes, for political, administratory and other reasons there are more than one. Note that Squid will resolve these AS number *once* *during* *startup* into the accompanying networks. E.g. for the above ASNs, it will issue five requests to my whois mirror, resolving the ASNs into roundabout 400 networks. Those networks will eventually be used in the ACLs. Using ASNs saves me the hassle of configuring hundreds of networks, and keeping them up to date. Our NOC keeps their networks up to date with the IRR, and I get my date from the IRR. It is not perfect, but reasonably fresh for the purpose. Restarting Squid once a week keeps the ASNs derived networks up to date. no_cache deny dst_dfn If the sibling caches decide to use their own cache space for more "valuable" objects, they can use the "no_cache" option to disable storing within-AS objects. The parents which I administer also have the "no_cache deny dst_dfn" activated. Thus, it will do my siblings no good *if* they ask me for objects from within our ASNs. --- ]Can someone point me to some info on using dst_as acl's to use another ]cache for certain domains? Well, coming back to your original question, you could, of course, define any other ACL, including a dstdomain ACL, and combine all ACLs, like any other Squid ACL, into rules for cache routing. For instance, if you'd be, hypothetically speaking, peering with us, you could say: [ ... ASNs from above ... ] # this list is *not* exhaustive, it is an *example* acl europe dstdomain .ad .at .ba .be .bg .ch .cy .cz .de .dk .ee .es .fi .fo .fr .gb .gi .gr .hr .hu .is .ie .it .li .lu .mc .mk .md .mt .nl .no .pl .pt .ro .se .si .sk .sm .tr .uk .va cache_peer_access <some.cache_peer.host> allow europe !dst_dfn I hope this helps. Should this be turned into a more general recipe in the FAQ? I am using AS based cache routing now for quite some time, and it is working rather well. Le deagh dhùrachd, Dipl.-Ing. Jens-S. Vöckler (voeckler@rvs.uni-hannover.de) Institute for Computer Networks and Distributed Systems University of Hanover, Germany; +49 511 762 4726Received on Tue Apr 18 2000 - 03:12:39 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:52:58 MST