Re: [squid-users] Single squid in a squid -> filter -> squid setup

From: Joshua Brindle <JBrindle@dont-contact.us>
Date: Sun, 28 Sep 2003 17:18:38 -0500

>On Mon, 2003-09-29 at 07:29, Joshua Brindle wrote:
>> He's right, it will work but the loopback trigger will happen and be logged,
>> What I found easier was using a simple proxy for the outer proxy so that
>> you don't have the caching overhead, and using squid internally using
>> ACL's..
>
>Which suffers because the dansguardian policy no longer applies per
>request. Thus my suggestion for no-caching on the inside, caching on the
>outside. And (as is in the FAQ) two squid will run -just fine-, be
>simpler to debug, and have more useful logs.
>

I'm not sure i follow. They should still apply per request since the header
will still be there and the external ACL (which checks for an existing login
in a database for the IP trying to visit the naughty site) should still get
run and see the X-Naughty header (right? or am I off here?)

My thought here, and it might be wrong, is that if the page is cached on the
inner squid then dansguardian doesn't have to waste CPU time re-analyzing
the same content, and the header I add should be preserved in the cached
page (right?) . If it's cached on the outer one, dansguardian will have to re-
analyze it (this isn't exactly right since dansguardian maintains an in memory
url cache, but squids cache should outlive dansguardian's.

>> The bigger problem is that you can't tell squid to use a certain
>> parent for 1 outgoing ACL and a different one for another (as far as I
>> can tell).
>
>peer_access <peer> allow|deny acl acl acl ...
>

ah, I guess you can, I chose against this because I always want Dansguardian
to analyze the content to check if it's naughty, then allow the external ACL
to see if the user has logged in to see potentially naughty content and log
access to these sites

>> So I have basically accomplished this (still waiting on a few bugs
>> in squid-3 that are showstoppers before I can move it to production) by
>
>Which bugs? Are they attached to 524?

yes, mainly the stmem.cc one, I can't run squid in production longer than
5 minutes without it crashing from this :(

>
>
>Rob
>--
>GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.

Joshua Brindle
Received on Sun Sep 28 2003 - 16:19:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:03 MST