Possible to user reply_header_add directive with acl random access list ?

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Hello folks ,
want to ask .
Possible to user reply_header_add directive with acl random access list ?

i read that reply_header_add only need fast acl and im not sure if random acl is fast/slow based on below :

http://www.squid-cache.org/Doc/config/reply_header_add/
and
https://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs

so indeed i would like i can match reply_header_add with some random acls .

i tried some samples and i got an unexpected/Wrong results .

let me know your thoughts for that issue .

kind regards

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Alex Rousskov
On 7/16/19 6:11 PM, --Ahmad-- wrote:

> Possible to user reply_header_add directive with acl random access list?

Yes, it is possible.


> i read that reply_header_add only need fast acl and im not sure if random acl is fast/slow

The random ACL is fast. GitHub pull requests that add that missing info
to the random ACL documentation in src/cf.data.pre are welcomed.
https://wiki.squid-cache.org/MergeProcedure

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Hi Alex,
acl half10000 random 1/10
acl half10001 random 1/9
acl half10002 random 1/8
acl half10003 random 1/7
acl half10004 random 1/6
acl half10005 random 1/5
acl half10006 random 1/4
acl half10007 random 1/3
acl half10008 random 1/2
acl half10009 random 1/1
########################################
reply_header_add start "A" half10000
reply_header_add start "B" half10001
reply_header_add start "C" half10002
reply_header_add start "D" half10003
reply_header_add start "E" half10004
reply_header_add start "F" half10005
reply_header_add start "G" half10006
reply_header_add start "H" half10007
reply_header_add start "I" half10008
reply_header_add start "J" half10009
##############################
tcp_outgoing_address 12.13.100.1 half10000
tcp_outgoing_address 12.13.100.2 half10001
tcp_outgoing_address 12.13.100.3 half10002
tcp_outgoing_address 12.13.100.4 half10003
tcp_outgoing_address 12.13.100.5 half10004
tcp_outgoing_address 12.13.100.6 half10005
tcp_outgoing_address 12.13.100.7 half10006
tcp_outgoing_address 12.13.100.8 half10007
tcp_outgoing_address 12.13.100.9 half10008
tcp_outgoing_address 12.13.100.10 half10009



 curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: G
< start: F
< start: E
< start: E
<
12.13.100.2
* Connection #0 to host 12.13.100.250 left intact



another Hit :


 curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: F
< start: A
< start: J
< start: I
<
12.13.100.6



so as you see above , i have multiple replied headers not single one .
and the replied header even are wrong .
so wrong multiple results i do recieve .


my questions is :

1- why mutiple replies do we recieve not single reply ?
2- why the recieved replies are wrong , i expect single reply based on my random acls we setup . ?

do we need other stuff with random acl to have it work with header directive ?




Thank You


> On 17 Jul 2019, at 7:10, Alex Rousskov <[hidden email]> wrote:
>
> On 7/16/19 6:11 PM, --Ahmad-- wrote:
>
>> Possible to user reply_header_add directive with acl random access list?
>
> Yes, it is possible.
>
>
>> i read that reply_header_add only need fast acl and im not sure if random acl is fast/slow
>
> The random ACL is fast. GitHub pull requests that add that missing info
> to the random ACL documentation in src/cf.data.pre are welcomed.
> https://wiki.squid-cache.org/MergeProcedure
>
> Alex.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Amos Jeffries
Administrator
On 17/07/19 9:41 pm, --Ahmad-- wrote:

> Hi Alex,
> acl half10000 random 1/10
> acl half10001 random 1/9
> acl half10002 random 1/8
> acl half10003 random 1/7
> acl half10004 random 1/6
> acl half10005 random 1/5
> acl half10006 random 1/4
> acl half10007 random 1/3
> acl half10008 random 1/2
> acl half10009 random 1/1
> ########################################
> reply_header_add start "A" half10000
> reply_header_add start "B" half10001
> reply_header_add start "C" half10002
> reply_header_add start "D" half10003
> reply_header_add start "E" half10004
> reply_header_add start "F" half10005
> reply_header_add start "G" half10006
> reply_header_add start "H" half10007
> reply_header_add start "I" half10008
> reply_header_add start "J" half10009
> ##############################
> tcp_outgoing_address 12.13.100.1 half10000
> tcp_outgoing_address 12.13.100.2 half10001
> tcp_outgoing_address 12.13.100.3 half10002
> tcp_outgoing_address 12.13.100.4 half10003
> tcp_outgoing_address 12.13.100.5 half10004
> tcp_outgoing_address 12.13.100.6 half10005
> tcp_outgoing_address 12.13.100.7 half10006
> tcp_outgoing_address 12.13.100.8 half10007
> tcp_outgoing_address 12.13.100.9 half10008
> tcp_outgoing_address 12.13.100.10 half10009
>
>
>
>  curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v
>
> * Rebuilt URL to: ifconfig.io/
> *   Trying 12.13.100.250...
> * TCP_NODELAY set
> * Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
> * Proxy auth using Basic with user 'hi'
>> GET http://ifconfig.io/ HTTP/1.1
>> Host: ifconfig.io
>> Proxy-Authorization: Basic YmVuOmJlbg==
>> User-Agent: curl/7.54.0
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>>
> < HTTP/1.1 200 OK
> < Date: Wed, 17 Jul 2019 09:34:57 GMT
> < Content-Type: text/plain; charset=utf-8
> < Content-Length: 40
> < Connection: keep-alive
> < start: G
> < start: F
> < start: E
> < start: E
> <
> 12.13.100.2
> * Connection #0 to host 12.13.100.250 left intact
>

That reply does look strange. "E" should only occur once, and "J" is
missing.


>
> another Hit :
>
>
>  curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v
>
> * Rebuilt URL to: ifconfig.io/
> *   Trying 12.13.100.250...
> * TCP_NODELAY set
> * Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
> * Proxy auth using Basic with user 'hi'
>> GET http://ifconfig.io/ HTTP/1.1
>> Host: ifconfig.io
>> Proxy-Authorization: Basic YmVuOmJlbg==
>> User-Agent: curl/7.54.0
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>>
> < HTTP/1.1 200 OK
> < Date: Wed, 17 Jul 2019 09:34:57 GMT
> < Content-Type: text/plain; charset=utf-8
> < Content-Length: 40
> < Connection: keep-alive
> < start: F
> < start: A
> < start: J
> < start: I
> <
> 12.13.100.6
>
>
>
> so as you see above , i have multiple replied headers not single one .
> and the replied header even are wrong .
> so wrong multiple results i do recieve .
>

reply_header_add does not stop with the first matching line like
http_access. Each is checked to see if that value is to be added.

So naturally each letter has a random chance of being added.

In other words;
 You have configured Squid to add the header "start" between 0 and 10
times, with a selection of letters.


The tcp_outgoing_address check for which IP address to use is
independent of what headers are added. That directive *does* stop on
first matching line.


>
> my questions is :
>
> 1- why mutiple replies do we recieve not single reply ?

What do you mean by "multiple replies" ?


> 2- why the recieved replies are wrong , i expect single reply based on my random acls we setup . ?
>

Every time a "random" type ACL is tested a new random number is selected
and checked against the match:non-match ratio you configure.



> do we need other stuff with random acl to have it work with header directive ?
>

The ACL works as designed. You appear to have missed the fact that each
check/test of the ACL uses a different randomly selected number.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Hi Amos , Thank you for you info .

indeed i read about reply header ACL That :

##############################################
One or more Squid ACLs may be specified to restrict header
	injection to matching responses. As always in squid.conf, all
	ACLs in the ACL list must be satisfied for the insertion to
	happen. The reply_header_add option supports fast ACLs only.

	See also: request_header_add.
#################################################

im not sure what do i need to let the output single value and not multiple values .

about your Question :
1- why mutiple replies do we recieve not single reply ?

What do you mean by "multiple replies" ?
————> i mean i would like the result to be as below :

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: A
12.13.100.1
* Connection #0 to host 12.13.100.250 left intact



* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: B
12.13.100.2
* Connection #0 to host 12.13.100.250 left intact




* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: C
12.13.100.3
* Connection #0 to host 12.13.100.250 left intact


* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: D
12.13.100.4
* Connection #0 to host 12.13.100.250 left intact



###############################################


Check the 4 tests above … those i want the result to be .
if i have external ip 12.13.100.4 , the Header should  be single and = < start: D
if i go external 12.13.100.3 ,the Header should  be single and = < start: C
if i go external 12.13.100.2 ,the Header should  be single and = < start: B
if i go external 12.13.100.1 ,the Header should  be single and = < start: B


SO basically i want 1 answer matching the acl :

acl half10000 random 1/10
acl half10001 random 1/9
acl half10002 random 1/8
acl half10003 random 1/7
acl half10004 random 1/6
acl half10005 random 1/5
acl half10006 random 1/4
acl half10007 random 1/3
acl half10008 random 1/2
acl half10009 random 1/1



as  you see above the ACLS above should be matching single values not multiple values .

and when i get multiple headers replies it doesnt satisfying my needs .


what do you think amos ?


Thanks agian 


On 17 Jul 2019, at 14:42, Amos Jeffries <[hidden email]> wrote:

On 17/07/19 9:41 pm, --Ahmad-- wrote:
Hi Alex, 
acl half10000 random 1/10
acl half10001 random 1/9
acl half10002 random 1/8
acl half10003 random 1/7
acl half10004 random 1/6
acl half10005 random 1/5
acl half10006 random 1/4
acl half10007 random 1/3
acl half10008 random 1/2
acl half10009 random 1/1
########################################
reply_header_add start "A" half10000
reply_header_add start "B" half10001
reply_header_add start "C" half10002
reply_header_add start "D" half10003
reply_header_add start "E" half10004
reply_header_add start "F" half10005
reply_header_add start "G" half10006
reply_header_add start "H" half10007
reply_header_add start "I" half10008
reply_header_add start "J" half10009
##############################
tcp_outgoing_address 12.13.100.1 half10000
tcp_outgoing_address 12.13.100.2 half10001
tcp_outgoing_address 12.13.100.3 half10002
tcp_outgoing_address 12.13.100.4 half10003
tcp_outgoing_address 12.13.100.5 half10004
tcp_outgoing_address 12.13.100.6 half10005
tcp_outgoing_address 12.13.100.7 half10006
tcp_outgoing_address 12.13.100.8 half10007
tcp_outgoing_address 12.13.100.9 half10008
tcp_outgoing_address 12.13.100.10 half10009



curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
GET http://ifconfig.io/ HTTP/1.1
Host: ifconfig.io
Proxy-Authorization: Basic YmVuOmJlbg==
User-Agent: curl/7.54.0
Accept: */*
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: G
< start: F
< start: E
< start: E
< 
12.13.100.2 
* Connection #0 to host 12.13.100.250 left intact


That reply does look strange. "E" should only occur once, and "J" is
missing.



another Hit :


curl -x 12.13.100.250:2000    -U hi:hi  ifconfig.io  -v

* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.100.250...
* TCP_NODELAY set
* Connected to 12.13.100.250 (12.13.100.250) port 2000 (#0)
* Proxy auth using Basic with user 'hi'
GET http://ifconfig.io/ HTTP/1.1
Host: ifconfig.io
Proxy-Authorization: Basic YmVuOmJlbg==
User-Agent: curl/7.54.0
Accept: */*
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 OK
< Date: Wed, 17 Jul 2019 09:34:57 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: F
< start: A
< start: J
< start: I
< 
12.13.100.6



so as you see above , i have multiple replied headers not single one .
and the replied header even are wrong .
so wrong multiple results i do recieve .


reply_header_add does not stop with the first matching line like
http_access. Each is checked to see if that value is to be added.

So naturally each letter has a random chance of being added.

In other words;
You have configured Squid to add the header "start" between 0 and 10
times, with a selection of letters.


The tcp_outgoing_address check for which IP address to use is
independent of what headers are added. That directive *does* stop on
first matching line.



my questions is :

1- why mutiple replies do we recieve not single reply ?

What do you mean by "multiple replies" ?


2- why the recieved replies are wrong , i expect single reply based on my random acls we setup . ?


Every time a "random" type ACL is tested a new random number is selected
and checked against the match:non-match ratio you configure.



do we need other stuff with random acl to have it work with header directive ?


The ACL works as designed. You appear to have missed the fact that each
check/test of the ACL uses a different randomly selected number.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Alex Rousskov
On 7/17/19 7:55 AM, --Ahmad-- wrote:

> indeed i read about reply header ACL That :

> all ACLs in
> the ACL list must be satisfied for the insertion to happen.

Amos is right, but the documentation you quote has nothing to do with
the fact that each reply_header_add rule is checked. That arguably
non-obvious behavior should be documented IMO. Quality pull requests
that enhance Squid documentation are welcomed on GitHub[1].


> what do i need to let the output single value and not
> multiple values

You are pushing against ACL limits, but it _is_ possible to restrict
further reply_header_add matches using modern Squid ACLs alone:

  acl markProcessed annotate_client processed=yes
  acl markedProcessed note processed yes

  acl p1in10 random 1/10
  acl p1in9  random 1/9
  ...

  reply_header_add Start "A" !markedProcessed p1in10 markProcessed
  reply_header_add Start "B" !markedProcessed p1in9  markProcessed
  ...

If you have a large number of possible Start values, then adding a Start
header using an eCAP adapter may be faster than checking so many ACLs. I
do not know what "large" means here, but I would not worry if you have
fewer than 100 values.


N.B. Please do not misinterpret my responses as an implication that what
you are doing overall is a good idea, or that there are no better ways
to accomplish the same goal. I am just answering specific questions in
case those answers would be useful for other use cases.


Cheers,

Alex.
[1] https://wiki.squid-cache.org/MergeProcedure
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Thanks Alex , i tried your acl not recognised !

2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'


do i need to recompile squid to enable this kind of ACLS ?




On 17 Jul 2019, at 16:05, Alex Rousskov <[hidden email]> wrote:

markProcessed


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Alex Rousskov
On 7/17/19 10:40 AM, --Ahmad-- wrote:

> 2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'

> do i need to recompile squid to enable this kind of ACLS ?

These ACLs are only supported in the development version of Squid
(future v5): https://github.com/squid-cache/squid/commit/63e82d8

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Hi Alex thanks for info .

well have compiled squid 5
and i made exact steps as you mentioned .

now i have delayed responce with single header info .

but its wrong value ………….  not correct reply header !!!

so instead of  getting START A i see START B or E and so on .





> On 17 Jul 2019, at 18:36, Alex Rousskov <[hidden email]> wrote:
>
> On 7/17/19 10:40 AM, --Ahmad-- wrote:
>
>> 2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'
>
>> do i need to recompile squid to enable this kind of ACLS ?
>
> These ACLs are only supported in the development version of Squid
> (future v5): https://github.com/squid-cache/squid/commit/63e82d8
>
> Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
In reply to this post by Alex Rousskov
Any recommendation alex ?

im sure 100 % i have made same as you asked but still i get wrong results .

i can see 1 result , but its wrong .


Thanks


> On 17 Jul 2019, at 18:36, Alex Rousskov <[hidden email]> wrote:
>
> On 7/17/19 10:40 AM, --Ahmad-- wrote:
>
>> 2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'
>
>> do i need to recompile squid to enable this kind of ACLS ?
>
> These ACLs are only supported in the development version of Squid
> (future v5): https://github.com/squid-cache/squid/commit/63e82d8
>
> Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Alex Rousskov
On 7/18/19 3:48 PM, --Ahmad-- wrote:
> Any recommendation alex ?

I recommend isolating the problem to the minimum number of transactions
(probably one or two in your case) and then posting your Squid
configuration, actual transaction headers, and an explanation why those
actual headers are wrong (and what headers you expected to see).

Alex.


>> On 17 Jul 2019, at 18:36, Alex Rousskov <[hidden email]> wrote:
>>
>> On 7/17/19 10:40 AM, --Ahmad-- wrote:
>>
>>> 2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'
>>
>>> do i need to recompile squid to enable this kind of ACLS ?
>>
>> These ACLs are only supported in the development version of Squid
>> (future v5): https://github.com/squid-cache/squid/commit/63e82d8
>>
>> Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Ok , here we Go :

###########################################
dns_nameservers 1.0.0.1
acl markProcessed annotate_client processed=yes
acl markedProcessed note processed yes
#########################################
acl half10000 random 1/5
acl half10001 random 1/4
acl half10002 random 1/3
acl half10003 random 1/2
acl half10004 random 1/1
########################################
reply_header_add start "a" !markedProcessed half10000 markProcessed
reply_header_add start "B" !markedProcessed half10001 markProcessed
reply_header_add start "C" !markedProcessed half10002 markProcessed
reply_header_add start "D" !markedProcessed half10003 markProcessed
reply_header_add start "E" !markedProcessed half10004 markProcessed
#####################################################################
tcp_outgoing_address 12.13.200.10 half10000
tcp_outgoing_address 12.13.200.11 half10001
tcp_outgoing_address 12.13.200.12 half10002
tcp_outgoing_address 12.13.200.13 half10003
tcp_outgoing_address 12.13.200.14 half10004
#####################################################################






Curl Testing :


root:~ user$ curl -x 12.13.200.250:2000    -U testx:testx  ifconfig.io  -v
* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.200.250...
* TCP_NODELAY set
* Connected to 12.13.200.250 (12.13.200.250) port 2000 (#0)
* Proxy auth using Basic with user 'testx'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Thu, 18 Jul 2019 22:04:11 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: E
12.13.200.12
* Connection #0 to host 12.13.200.250 left intact




root:~ user$ curl -x 12.13.200.250:2000    -U testx:testx  ifconfig.io  -v
* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.200.250...
* TCP_NODELAY set
* Connected to 12.13.200.250 (12.13.200.250) port 2000 (#0)
* Proxy auth using Basic with user 'testx'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Thu, 18 Jul 2019 22:04:12 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 40
< Connection: keep-alive
< start: B
12.13.200.13
* Connection #0 to host 12.13.200.250 left intact




root:~ user$ curl -x 12.13.200.250:2000    -U testx:testx  ifconfig.io  -v
* Rebuilt URL to: ifconfig.io/
*   Trying 12.13.200.250...
* TCP_NODELAY set
* Connected to 12.13.200.250 (12.13.200.250) port 2000 (#0)
* Proxy auth using Basic with user 'testx'
> GET http://ifconfig.io/ HTTP/1.1
> Host: ifconfig.io
> Proxy-Authorization: Basic YmVuOmJlbg==
> User-Agent: curl/7.54.0
> Accept: */*
> Proxy-Connection: Keep-Alive
< HTTP/1.1 200 OK
< Date: Thu, 18 Jul 2019 22:04:13 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 38
< Connection: keep-alive
< start: a
12.13.200.14
* Connection #0 to host 12.13.200.250 left intact
root:~ user$ 




Look @ results above i made 3 tests .


12.13.200.13 --> B
12.13.200.14 --> a
12.13.200.12 ---> E

And those are wrong ….


above are wrong reply values , the correct should be as below based on the Acls we configured .



 12.13.200.13 --->D
 12.13.200.12 ---->C
 12.13.200.14  ---->E


i hope its clear now :)

Thanks and looking forward to hear from you .





On 18 Jul 2019, at 23:08, Alex Rousskov <[hidden email]> wrote:

On 7/18/19 3:48 PM, --Ahmad-- wrote:
Any recommendation alex ?

I recommend isolating the problem to the minimum number of transactions
(probably one or two in your case) and then posting your Squid
configuration, actual transaction headers, and an explanation why those
actual headers are wrong (and what headers you expected to see).

Alex.


On 17 Jul 2019, at 18:36, Alex Rousskov <[hidden email]> wrote:

On 7/17/19 10:40 AM, --Ahmad-- wrote:

2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'

do i need to recompile squid to enable this kind of ACLS ?

These ACLs are only supported in the development version of Squid
(future v5): https://github.com/squid-cache/squid/commit/63e82d8

Alex.



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Alex Rousskov
On July 18, 2019 18:15:30 --Ahmad--  wrote:


reply_header_add start "a" !markedProcessed half10000 markProcessed

...

I would replace 1/1 random ACL with "all", but OK.


tcp_outgoing_address 12.13.200.10 half10000

Strange: Your outgoing address decisions appear to be random, completely independent from your Start values. Is that what you want?


12.13.200.13 --> B
12.13.200.14 --> a
12.13.200.12 ---> E

And those are wrong ….


above are wrong reply values , the correct should be as below based on the Acls we configured .



 12.13.200.13 --->D
 12.13.200.12 ---->C
 12.13.200.14  ---->E

I see nothing in your configuration that would tie outgoing address to Start values. Where did you configure Squid to use "D" for .13 or vice versa?

Alex.






On 18 Jul 2019, at 23:08, Alex Rousskov wrote:

On 7/18/19 3:48 PM, --Ahmad-- wrote:
Any recommendation alex ?

I recommend isolating the problem to the minimum number of transactions
(probably one or two in your case) and then posting your Squid
configuration, actual transaction headers, and an explanation why those
actual headers are wrong (and what headers you expected to see).

Alex.


On 17 Jul 2019, at 18:36, Alex Rousskov <[hidden email]> wrote:

On 7/17/19 10:40 AM, --Ahmad-- wrote:

2019/07/17 09:21:42| FATAL: Invalid ACL type ‘annotate_client'

do i need to recompile squid to enable this kind of ACLS ?

These ACLs are only supported in the development version of Squid
(future v5): https://github.com/squid-cache/squid/commit/63e82d8

Alex.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Hi Alex .

Strange: Your outgoing address decisions appear to be random, completely independent from your Start values. Is that what you want?
yes , it suppose to have header as i configured the acls .


 12.13.200.13 --->D
 12.13.200.12 ---->C
 12.13.200.14  ——>E

Not 

12.13.200.13 --> B
12.13.200.14 --> a
12.13.200.12 ---> E


I see nothing in your configuration that would tie outgoing address to Start values. Where did you configure Squid to use "D" for .13 or vice versa?
May im wrong in config , i thought that my config above like :


###########################################
dns_nameservers 1.0.0.1
acl markProcessed annotate_client processed=yes
acl markedProcessed note processed yes
#########################################
acl half10000 random 1/5

reply_header_add start "a" !markedProcessed half10000 markProcessed

tcp_outgoing_address 12.13.200.10 half10000


But may be im wrong with config and im open now to any suggestions to change the config to get it working as i mentioned above with headers .


Thanks 




On 19 Jul 2019, at 5:44, Alex Rousskov <[hidden email]> wrote:

Strange: Your outgoing address decisions appear to be random, completely independent from your Start values. Is that what you want?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Amos Jeffries
Administrator
On 19/07/19 6:49 pm, --Ahmad-- wrote:

>
> But may be im wrong with config and im open now to any suggestions to
> change the config to get it working as i mentioned above with headers .
>

As I said at the end of my earlier mail:

"
You appear to have missed the fact that each
check/test of the ACL uses a different randomly selected number.
"


These:

>
>  reply_header_add start "a" !markedProcessed half10000 markProcessed
>
>  tcp_outgoing_address 12.13.200.10 half10000
>

... contain two different check/test of the ACL called half10000.

One for reply_header_add, another one for tcp_outgoing_address.

-> a random 1/5 of requests will have "Start: a" header added.

-> a random 1/5 of requests will try to send from 12.13.200.10 IP address.

The two sets likely do not overlap. Though since this is truly random -
there is a 2.5% chance that any request might *look* like what you are
seeking.


To make the IP based on the "a" existence you have to ... base it on the
"a" - not on some random number.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Hi Guys , Thank you a lot for your cooperation .

is there any way can i let header acl stop on the 1st MATCH ?

do you have any other thing can we do to achieve what im looking for based on my config below ?


Thanks 





On 19 Jul 2019, at 13:04, Amos Jeffries <[hidden email]> wrote:

To make the IP based on the "a" existence you have to ... base it on the
"a" - not on some random number.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Alex Rousskov
On 7/19/19 8:53 AM, --Ahmad-- wrote:

> is there any way can i let header acl stop on the 1st MATCH ?

Yes, your reply_header_add ACLs effectively stop on the first match,
using the annotation trick. That part of your configuration is probably
working. The primary problem is elsewhere.


> do you have any other thing can we do to achieve what im looking for
> based on my config below ?

FWIW, I do not know what you are looking for. I even checked earlier
emails on this thread and could not find that information. Can you
(re)state your goals using the following template?

"When Squid receives a client request with HTTP header X, I want Squid
to forward that request using outgoing TCP address Y, and then add HTTP
header Z to the response that Squid sends to the client."

Replace X, Y, and Z with your actual requirements. Adjust as needed,
including removing any unnecessary parts.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Alex .. indeed i asked many questions and you already solved me old issues . i do apologise for that Drop .
here is what we are going to achieve .


in simple :

i want to have external random addressees from list of addresses .
and in the same time i want a header like “start” header  who can be sent from squid to Host with tag.

say i have 10 ips
i want random external over them .
and i want single  on each those 10 ips be sent back to Host.
if external was ip1 , then “start header” should be A
if external was ip2 , then “start header” should be b
if external was ip3 , then “start header” should be c
if external was ip4 , then “start header” should be d

and so on .


Thanks and again Guys you have been much helpful .


Thanks


> On 19 Jul 2019, at 16:08, Alex Rousskov <[hidden email]> wrote:
>
> On 7/19/19 8:53 AM, --Ahmad-- wrote:
>
>> is there any way can i let header acl stop on the 1st MATCH ?
>
> Yes, your reply_header_add ACLs effectively stop on the first match,
> using the annotation trick. That part of your configuration is probably
> working. The primary problem is elsewhere.
>
>
>> do you have any other thing can we do to achieve what im looking for
>> based on my config below ?
>
> FWIW, I do not know what you are looking for. I even checked earlier
> emails on this thread and could not find that information. Can you
> (re)state your goals using the following template?
>
> "When Squid receives a client request with HTTP header X, I want Squid
> to forward that request using outgoing TCP address Y, and then add HTTP
> header Z to the response that Squid sends to the client."
>
> Replace X, Y, and Z with your actual requirements. Adjust as needed,
> including removing any unnecessary parts.
>
> Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

Alex Rousskov
On 7/19/19 2:54 PM, --Ahmad-- wrote:

> say i have 10 ips
> i want random external over them .

> if external was ip1 , then “start header” should be A
> if external was ip2 , then “start header” should be b
> if external was ip3 , then “start header” should be c
> if external was ip4 , then “start header” should be d

I can suggest two options. The first one is a little simpler, but it
uses actual IP addresses (e.g., "1.1.1.1") instead of IP address
labels/pseudonyms (e.g. "A") for Start header values:

  # select one of ten IPs using a uniform random distribution
  tcp_outgoing_address 12.13.200.10 p1in10
  tcp_outgoing_address 12.13.200.11 p1in9
  ...
  tcp_outgoing_address 12.13.200.19 all

  # tell the client what IP our to-server connection originated from
  reply_header_add Start "%<la"


If you do not really want to send the actual IP values in Start headers,
and are not worried that Squid may not actually use the selected
outgoing IP address for some reason, then you can use annotations to
mark specific tcp_outgoing_address decisions:

  acl markDecisionA annotate_client decision=A
  acl markDecisionB annotate_client decision=B
  ...
  acl markDecisionJ annotate_client decision=J

  # select one of ten IPs using a uniform random distribution
  # and remember our decision as a transaction annotation
  tcp_outgoing_address 12.13.200.10 p1in10 markDecisionA
  tcp_outgoing_address 12.13.200.11 p1in9 markDecisionB
  ...
  tcp_outgoing_address 12.13.200.19 markDecisionJ

  # relay our tcp_outgoing_address decision to the client
  reply_header_add Start "%note{decision}"


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Possible to user reply_header_add directive with acl random access list ?

--Ahmad--
Alex you have been helpful a-lot .

i would appreciate your help & Amos for what you provided .

Thanks for your kind support .

you have simplified all what i need .


Kind regards 


On 19 Jul 2019, at 23:03, Alex Rousskov <[hidden email]> wrote:

reply_header_add Start "%<la"


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users