How to use "cache", "store_miss" and "send_hit" directives?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use "cache", "store_miss" and "send_hit" directives?

Robert Senger
Hi there,

after upgrading to 4.6 from 3.x, I am completely confused about how to
use the cache, store_miss and send_hit directives correctly.

I am using ACLs for different handling of clients connecting to
different local ports:

  acl proxy-basic localip 172.16.2.243
  acl proxy-standard localip 172.16.3.243

These ACLs are used to determine outgoing address, which are routed to
different outgoing interfaces like this:

  tcp_outgoing_address 172.16.3.244 proxy-basic
  tcp_outgoing_address 172.16.4.244 proxy-standard

This works as desired.

Now I am struggling with caching objects. The goal is, to have objects
requested by proxy-basic clients not to be cached, but objects
requested by proxy-standard to be cached normally.

Tried this:

  cache deny proxy-basic
  cache allow all

And this:

  cache allow proxy-standard
  cache deny all

And many other different configs. Does not work as desired.

The result is always the same, either all objects are cached, or no
objects at all are cached.

Even if I try a simple configuration like this, objects are never
cached:

  cache allow proxy-standard

If I use ANY "cache ___" directive other than a (useless) "cache allow
all", caching is completely disabled for all ACLs.

What am I doing wrong? Are those ACLs unsuitable for configuring
caching with cache directives?

I haven't found any examples in the net about how to do achieve what I
want to do. As far as I remember, this used to work with the old 3.x
setup (this is gone, cannot test this any more).

Thanks for help.

Robert


--
Robert Senger


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use "cache", "store_miss" and "send_hit" directives?

Alex Rousskov
On 10/16/19 10:38 AM, Robert wrote:

> after upgrading to 4.6 from 3.x
> I am struggling with caching objects. The goal is, to have objects
> requested by proxy-basic clients not to be cached, but objects
> requested by proxy-standard to be cached normally.
>
> Tried this:
>
>   cache deny proxy-basic
>   cache allow all
>
> And this:
>
>   cache allow proxy-standard
>   cache deny all

Based on your description, you probably want the former or its simpler
version:

    cache deny proxy-basic


> If I use ANY "cache ___" directive other than a (useless) "cache allow
> all", caching is completely disabled for all ACLs.

FYI: Squid does not (yet) treat the "all" ACL specially -- Squid does
not ignore or automatically apply seemingly "useless" rules with it. If
you are getting correct results with "allow all" and incorrect results
with "allow foo", then your foo ACL does not match (in that specific
context). Why it does not match is a separate question.


> What am I doing wrong?

Nothing that warrants discussing here IMO. I suggest trying the latest
v4 release and, if the problem is still there, filing a bug report. If
you can share a compressed ALL,7+ cache.log while reproducing the
problem with a single transaction, we may be able to triage this problem
faster. Squid wiki has instructions at
https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction


HTH,

Alex.

> I am using ACLs for different handling of clients connecting to
> different local ports:
>
>   acl proxy-basic localip 172.16.2.243
>   acl proxy-standard localip 172.16.3.243
>
> These ACLs are used to determine outgoing address, which are routed to
> different outgoing interfaces like this:
>
>   tcp_outgoing_address 172.16.3.244 proxy-basic
>   tcp_outgoing_address 172.16.4.244 proxy-standard
>
> This works as desired.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use "cache", "store_miss" and "send_hit" directives?

Robert Senger
Hi Alex,

you're right, the correct way is to use "cache deny <aclname>" only,
all others are allowed then.

I tried this before, but it did not work, because of my very special
setup.

I need to encrypt browser->squid connection (on mobile devices). With
squid 3.x, I used stunnel client on the mobile device and stunnel
server on squid's machine. With squid 4.6, I wanted to get rid of
stunnel server and use squid's https_port directive instead, but
https_port + sslbump did not go together. So, I created a loop that
forwarded https_port connections with a cache_peer directive to squid's
own http_port. That worked, except for caching... The http_port ACLs
never matched in the cache directive, instead, the https_port ACLs did,
but that is not what I want and need. Some coincidence made that
tcp_outgoing_address matched and routing was correct, anyway.

I switched back to the old stunnel server setup, and things are fine
now. But I still don't know why the http_port connections ACLs do not
match...

Regards,

Robert

 
Am Mittwoch, den 16.10.2019, 11:38 -0400 schrieb Alex Rousskov:

> On 10/16/19 10:38 AM, Robert wrote:
>
> > after upgrading to 4.6 from 3.x
> > I am struggling with caching objects. The goal is, to have objects
> > requested by proxy-basic clients not to be cached, but objects
> > requested by proxy-standard to be cached normally.
> >
> > Tried this:
> >
> >   cache deny proxy-basic
> >   cache allow all
> >
> > And this:
> >
> >   cache allow proxy-standard
> >   cache deny all
>
> Based on your description, you probably want the former or its
> simpler
> version:
>
>     cache deny proxy-basic
>
>
> > If I use ANY "cache ___" directive other than a (useless) "cache
> > allow
> > all", caching is completely disabled for all ACLs.
>
> FYI: Squid does not (yet) treat the "all" ACL specially -- Squid does
> not ignore or automatically apply seemingly "useless" rules with it.
> If
> you are getting correct results with "allow all" and incorrect
> results
> with "allow foo", then your foo ACL does not match (in that specific
> context). Why it does not match is a separate question.
>
>
> > What am I doing wrong?
>
> Nothing that warrants discussing here IMO. I suggest trying the
> latest
> v4 release and, if the problem is still there, filing a bug report.
> If
> you can share a compressed ALL,7+ cache.log while reproducing the
> problem with a single transaction, we may be able to triage this
> problem
> faster. Squid wiki has instructions at
> https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>
>
> HTH,
>
> Alex.
>
> > I am using ACLs for different handling of clients connecting to
> > different local ports:
> >
> >   acl proxy-basic localip 172.16.2.243
> >   acl proxy-standard localip 172.16.3.243
> >
> > These ACLs are used to determine outgoing address, which are routed
> > to
> > different outgoing interfaces like this:
> >
> >   tcp_outgoing_address 172.16.3.244 proxy-basic
> >   tcp_outgoing_address 172.16.4.244 proxy-standard
> >
> > This works as desired.
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
Robert Senger <[hidden email]>
PGP/GPG Public Key ID: A51A4BCD

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use "cache", "store_miss" and "send_hit" directives?

Alex Rousskov
On 10/16/19 7:17 PM, Robert Senger wrote:

> I need to encrypt browser->squid connection (on mobile devices). With
> squid 3.x, I used stunnel client on the mobile device and stunnel
> server on squid's machine. With squid 4.6, I wanted to get rid of
> stunnel server and use squid's https_port directive instead, but
> https_port + sslbump did not go together. So, I created a loop that
> forwarded https_port connections with a cache_peer directive to squid's
> own http_port.

IIRC, this trick also creates problems for built-in cache_peer checks
that may fail because those checks start before Squid starts listening
on its own ports. This problem may be specific to SMP setups. YMMV.


> That worked, except for caching... The http_port ACLs
> never matched in the cache directive, instead, the https_port ACLs did,
> but that is not what I want and need. Some coincidence made that
> tcp_outgoing_address matched and routing was correct, anyway.


AFAICT, bugs notwithstanding, those ACLs should have matched in the
"cache" directive context, especially if they actually matched in the
tcp_outgoing_address context later.

Alex.



> Am Mittwoch, den 16.10.2019, 11:38 -0400 schrieb Alex Rousskov:
>> On 10/16/19 10:38 AM, Robert wrote:
>>
>>> after upgrading to 4.6 from 3.x
>>> I am struggling with caching objects. The goal is, to have objects
>>> requested by proxy-basic clients not to be cached, but objects
>>> requested by proxy-standard to be cached normally.
>>>
>>> Tried this:
>>>
>>>   cache deny proxy-basic
>>>   cache allow all
>>>
>>> And this:
>>>
>>>   cache allow proxy-standard
>>>   cache deny all
>>
>> Based on your description, you probably want the former or its
>> simpler
>> version:
>>
>>     cache deny proxy-basic
>>
>>
>>> If I use ANY "cache ___" directive other than a (useless) "cache
>>> allow
>>> all", caching is completely disabled for all ACLs.
>>
>> FYI: Squid does not (yet) treat the "all" ACL specially -- Squid does
>> not ignore or automatically apply seemingly "useless" rules with it.
>> If
>> you are getting correct results with "allow all" and incorrect
>> results
>> with "allow foo", then your foo ACL does not match (in that specific
>> context). Why it does not match is a separate question.
>>
>>
>>> What am I doing wrong?
>>
>> Nothing that warrants discussing here IMO. I suggest trying the
>> latest
>> v4 release and, if the problem is still there, filing a bug report.
>> If
>> you can share a compressed ALL,7+ cache.log while reproducing the
>> problem with a single transaction, we may be able to triage this
>> problem
>> faster. Squid wiki has instructions at
>> https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction
>>
>>
>> HTH,
>>
>> Alex.
>>
>>> I am using ACLs for different handling of clients connecting to
>>> different local ports:
>>>
>>>   acl proxy-basic localip 172.16.2.243
>>>   acl proxy-standard localip 172.16.3.243
>>>
>>> These ACLs are used to determine outgoing address, which are routed
>>> to
>>> different outgoing interfaces like this:
>>>
>>>   tcp_outgoing_address 172.16.3.244 proxy-basic
>>>   tcp_outgoing_address 172.16.4.244 proxy-standard
>>>
>>> This works as desired.
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use "cache", "store_miss" and "send_hit" directives?

Robert Senger
Am Mittwoch, den 16.10.2019, 22:18 -0400 schrieb Alex Rousskov:

> On 10/16/19 7:17 PM, Robert Senger wrote:
>
> > I need to encrypt browser->squid connection (on mobile devices).
> > With
> > squid 3.x, I used stunnel client on the mobile device and stunnel
> > server on squid's machine. With squid 4.6, I wanted to get rid of
> > stunnel server and use squid's https_port directive instead, but
> > https_port + sslbump did not go together. So, I created a loop that
> > forwarded https_port connections with a cache_peer directive to
> > squid's
> > own http_port.
>
> IIRC, this trick also creates problems for built-in cache_peer checks
> that may fail because those checks start before Squid starts
> listening
> on its own ports. This problem may be specific to SMP setups. YMMV.
>
Well, worked for me ;)

> > That worked, except for caching... The http_port ACLs
> > never matched in the cache directive, instead, the https_port ACLs
> > did,
> > but that is not what I want and need. Some coincidence made that
> > tcp_outgoing_address matched and routing was correct, anyway.
>
>
> AFAICT, bugs notwithstanding, those ACLs should have matched in the
> "cache" directive context, especially if they actually matched in the
> tcp_outgoing_address context later.
>
> Alex.

I am not sure if they matched at all. As I said, by chance, default
rules for tcp_outgoing_address and policy based routing might have
produced right results (at least at where I looked at, there are more
than 2 client ACLs), but based on wrong decisions. Can't check this
right now.

Anyway, I am thinking about running multiple squid instances with
simple setups and chain them rather than just one with a very complex
setup, maybe that would make things easier. It also would make it
possible to query different nameservers (or bind9 views) for different
ACLs, which is not possible within one single instance
(udp_outgoing_address does not take ACLs).

Thanks for the help,

Robert



>
> > Am Mittwoch, den 16.10.2019, 11:38 -0400 schrieb Alex Rousskov:
> > > On 10/16/19 10:38 AM, Robert wrote:
> > >
> > > > after upgrading to 4.6 from 3.x
> > > > I am struggling with caching objects. The goal is, to have
> > > > objects
> > > > requested by proxy-basic clients not to be cached, but objects
> > > > requested by proxy-standard to be cached normally.
> > > >
> > > > Tried this:
> > > >
> > > >   cache deny proxy-basic
> > > >   cache allow all
> > > >
> > > > And this:
> > > >
> > > >   cache allow proxy-standard
> > > >   cache deny all
> > >
> > > Based on your description, you probably want the former or its
> > > simpler
> > > version:
> > >
> > >     cache deny proxy-basic
> > >
> > >
> > > > If I use ANY "cache ___" directive other than a (useless)
> > > > "cache
> > > > allow
> > > > all", caching is completely disabled for all ACLs.
> > >
> > > FYI: Squid does not (yet) treat the "all" ACL specially -- Squid
> > > does
> > > not ignore or automatically apply seemingly "useless" rules with
> > > it.
> > > If
> > > you are getting correct results with "allow all" and incorrect
> > > results
> > > with "allow foo", then your foo ACL does not match (in that
> > > specific
> > > context). Why it does not match is a separate question.
> > >
> > >
> > > > What am I doing wrong?
> > >
> > > Nothing that warrants discussing here IMO. I suggest trying the
> > > latest
> > > v4 release and, if the problem is still there, filing a bug
> > > report.
> > > If
> > > you can share a compressed ALL,7+ cache.log while reproducing the
> > > problem with a single transaction, we may be able to triage this
> > > problem
> > > faster. Squid wiki has instructions at
> > >
https://wiki.squid-cache.org/SquidFaq/BugReporting#Debugging_a_single_transaction

> > >
> > >
> > > HTH,
> > >
> > > Alex.
> > >
> > > > I am using ACLs for different handling of clients connecting to
> > > > different local ports:
> > > >
> > > >   acl proxy-basic localip 172.16.2.243
> > > >   acl proxy-standard localip 172.16.3.243
> > > >
> > > > These ACLs are used to determine outgoing address, which are
> > > > routed
> > > > to
> > > > different outgoing interfaces like this:
> > > >
> > > >   tcp_outgoing_address 172.16.3.244 proxy-basic
> > > >   tcp_outgoing_address 172.16.4.244 proxy-standard
> > > >
> > > > This works as desired.
> > >
> > > _______________________________________________
> > > squid-users mailing list
> > > [hidden email]
> > > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
Robert Senger


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users