Re: [squid-users] delay_access and external_acl

From: Sergey Shepshelevich <sergey@dont-contact.us>
Date: Thu, 31 Mar 2005 18:53:09 +0400

On Wed, Mar 30, 2005 at 10:42:36PM +0200, Henrik Nordstrom wrote:
> On Wed, 30 Mar 2005, Sergey Shepshelevich wrote:
>
> >But do exists any other documentation about what acl types allowed with
> >delay_access ?
> >In another words which acls are fast ?
>
> It's easier to see it the other way around: Any acl where Squid needs to
> make a lookup of any kind to an external resource is slow, and can not
> reliably be used in most access directives except for http_access.
>
> >delay_access and external acl used together in our organization
> >(Alex Grigoriev said that it worked).
>
> It can be made to work with some restrictions by using http_access to make
> the lookup, cached by the ttl and then available most of the time in
> delay_access.

 If I understand your the config looked like

 external_acl_type quota_aclext ttl=15 negative_ttl=15 %LOGIN %SRC %DST /usr/local/libexec/squid/quota.pl
 acl users_quota external quota_aclext
 
 ## work around way.
 ## pass overquota and not overquota users
 http_access allow auth_required users_quota
 http_access allow auth_required !users_quota
 ##

 delay_class 1 1
 delay_parameters 1 100/100
 delay_access 1 allow !users_quota
 delay_access 1 deny all

 But will I get perfomance bootleak in calculating delay pools ?

 I suppose squid will use users_quota value calculated in http_access. Therefore
 it will check this acl per eAch URL request. After ttl recalculated it. Is it
 bad for proxy perfomance ?

 Do you know other rules like http_access that can be used together with external_acl ?
 I found no info about it.

 
 The second way, generate file with overquota users and attach it following acl:
 acl auth_overquoted proxy_auth "_path_/overquoted"
 delay_class 1 1
 delay_parameters 1 100/100
 delay_access 1 allow auth_overquoted
 delay_access 1 deny all

 But I should in this case do squid -k restart every 15 minutes.
 Is second way good way ?
 

-- 
Sergey Shepshelevich
Ulyanovsk State Technical University
NOC, System administrator
Received on Thu Mar 31 2005 - 07:53:33 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:03 MST