Re: [squid-users] How to trick splay trees? from Eliezer Croitoru on 2012-07-31 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 31 Jul 2012 18:11:20 +0300

On 7/31/2012 12:50 PM, Jannis Kafkoulas wrote:
> Thanks for the quick answer!
>
> Now I see that I didn't express myself precisely enough :-(
>
> "to also go via cache_peer par-alt." wasn't meant as an alternative (either or) but as "as well as the domain ".fa-intracomp.net" :-)
>
> in other words, abc.intracomp.com should be directed only to par-alt.
>
> ...
>
> thanks
>
so it's pretty simple..
as the acls goes for first "HITS" there is nothing to trick the splay
trees but just use a more explicit ACLS with a "deny" one first.

##start
acl alt dstdomain .fa-intracomp.net
acl std dstdomain .intracomp.com
acl alt-2 dstdom_regex -i abc.intracomp.com

cache_peer 192.10.10.22 parent 3128 0 no-query login=PASS
proxy-only no-digest name=par-std
cache_peer 192.10.10.22 parent 80 0 no-query login=PASS
proxy-only no-digest name=par-alt
#first use an explicit dney for the abc...
# so first this domain will not pass using this proxy
# then allow the other proxy.
# and it's recommended to separate the acls for the two proxies.
cache_peer_access par-std deny alt-2
cache_peer_access par-alt allow alt-2
cache_peer_access par-alt allow alt
cache_peer_access par-std allow std
##end

i would put it in my squid.conf in another order for it t be more
understandable for the human eye\mind to match the algorithm that squid
uses for acls.

##start

#acls part with notes about purpose of each acl if neede.
acl alt dstdomain .fa-intracomp.net
acl std dstdomain .intracomp.com
acl alt-2 dstdom_regex -i abc.intracomp.com

#cache peers part:

#cache peer 1
cache_peer 192.10.10.22 parent 3128 0 no-query login=PASS
proxy-only no-digest name=par-std

#cache peer 1 acls
cache_peer_access par-std deny alt-2
cache_peer_access par-std allow std
#....

#cache peer 2
cache_peer 192.10.10.22 parent 80 0 no-query login=PASS
proxy-only no-digest name=par-alt

#cache peer 2 acls
cache_peer_access par-alt allow alt-2
cache_peer_access par-alt allow alt

##end

so you do know which proxy will match first explictly
you will have the acls ordered per cache_peer and there for you see
better how squid will approach to the cache_peers.

Regards,
Eliezer

>
> --- El Lun 30/7/12, Amos Jeffries <squid3_at_treenet.co.nz> escribió:
>
>> De: Amos Jeffries <squid3_at_treenet.co.nz>
>> Asunto: Re: [squid-users] How to trick splay trees?
>> Para: squid-users_at_squid-cache.org
>> Fecha: Lunes 30 de Julio de 2012 15:25
>> On 31/07/2012 1:25 a.m., Jannis
>> Kafkoulas wrote:
>>> Hi,
>>>
>>> (I use squid 2.7. STABLE9 on RedHat EL 5.6)
>>>
>>> Following problem:
>>>
>>> I have following dstdomains defined
>>> going to par-std and par-alt cache_peers
>> respectively:
>>>
>>> acl alt dstdomain .fa-intracomp.net
>>> acl std dstdomain .intracomp.com
>>>
>>> Now I'd like "abc.intracomp.com" to also go
>> via cache_peer par-alt.
>>>
>>> Following two tries didn't work:
>>>
>>> # acl alt-2 dstdom_regex -i abc.intracomp.com
>>> # acl alt dstdomain abc.intracomp.com
>>
>> The dstdomain one is faster. Both are correct for your
>> requested policy.
>> The key word you stated being "also" ...
>>
>>>
>>> The requests were sent to par-std cache_peer
>>>
>>> cache_peer 192.10.10.22 parent
>> 3128 0 no-query
>> login=PASS proxy-only no-digest name=par-std
>>> cache_peer 192.10.10.22 parent
>> 80 0 no-query
>> login=PASS proxy-only no-digest name=par-alt
>>>
>>> cache_peer_access par-alt allow alt-2
>>> cache_peer_access par-alt allow alt
>>> cache_peer_access par-std allow std
>>>
>>>
>>> Is there a way for that to work at all?
>>
>> Unless given some specific selection algorithm (digest, ICP,
>> hshes,
>> carp, roundrobin etc) Squid lists peers in configuration
>> order when
>> attemping to pass traffic.
>>
>> As I said above the key word in your policy statements is
>> "also" - with
>> both peers *available* for use Squid will pick the first one
>> that works.
>> With par-std being listed first your logs will show it being
>> used until
>> such time as it becomes unresponsive or overloaded. Then
>> par-alt will
>> pick up the slack for that one domain.
>>
>> I think you are looking at the logs and seeing only par-std,
>> thinking
>> its not working when actually it is. You can test by
>> changing the order
>> of cache_peer definitions in your config and seeing the
>> preferred peer
>> switch to the par-alt when the new ACL is added.
>>
>> NOTE: you canot send a request via *both* using TCP unicast
>> links, just one.
>>
>> Amos
>>

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Received on Tue Jul 31 2012 - 15:11:50 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 31 2012 - 12:00:02 MDT