Re: when 'cache_peer_access <cache> deny all_dst' is not enough

From: Clifton Royston <cliftonr@dont-contact.us>
Date: Thu, 11 Nov 1999 12:30:34 -1000

On Thu, Nov 11, 1999 at 08:50:16AM +0000, dean.scothern@wwgsolutions.com wrote:
> acl all-dst dst 0.0.0.0/0.0.0.0
> acl everything urlpath_regex .*
> cache_peer_access cache1 allow domain1
> cache_peer_access cache1 deny all-dst
> cache_peer_access cache1 deny everything
>
> And lo and behold the loop disapeared, and wroom.... performance is
> much better! It looked like deny all-dst was not enough.
>
> So my question is: why?
>
> Am I being stupid (probably)

No, you're not being stupid, it's very counter-intuitive.

IP-based dst patterns don't always do anything, because Squid doesn't
always take the time to look the queries (which come in as domain
names) and resolve them to IP addresses.

I believe the reverse is true with name-based src addresses, though I
haven't heard this confirmed by one of the gurus.

  -- Clifton

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
        "An absolute monarch would be absolutely wise and good.  
           But no man is strong enough to have no interest.  
             Therefore the best king would be Pure Chance.  
              It is Pure Chance that rules the Universe; 
          therefore, and only therefore, life is good." - AC
Received on Thu Nov 11 1999 - 15:39:29 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT