Re: [squid-users] Issue: client_delay_pools and related directives from Amos Jeffries on 2014-05-02 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 02 May 2014 19:28:51 +1200

On 2/05/2014 10:11 a.m., Laz C. Peterson wrote:> Hello Eliezer,
>
> Yes, the squid instances runs wonderfully. And actually we use
standard delay_pools with no problems. Only when introducing
client_delay_pools does the problems start.
>
> Here is the results of “squid -kparse” … Again, this is using Squid
3.3.8 on Ubuntu 14.04.
>

<snip>
>
> 2014/05/01 15:08:21| Processing: acl ocr_clinic src 10.3.2-6.101-110/32
> 2014/05/01 15:08:21| Processing: acl ocr_exam src 10.3.2-6.111-120/32
> 2014/05/01 15:08:21| Processing: acl ocr_va src 10.3.2-6.121-130/32
> 2014/05/01 15:08:21| Processing: acl ocr_insurance src
10.3.1.101-10.3.1.110/32 10.3.1.161-10.3.1.170/32
> 2014/05/01 15:08:21| Processing: acl ocr_admin src
10.3.1.121-10.3.1.130/32
> 2014/05/01 15:08:21| Processing: acl ocr_study src 10.3.1.141-142/32
> 2014/05/01 15:08:21| Processing: acl ocr_testing src 10.3.2-6.81-90/32
> 2014/05/01 15:08:21| Processing: acl ocr_doctor_personal src
10.3.1-6.231-240/32
> 2014/05/01 15:08:21| Processing: acl ocr_doctor_systems src
10.3.2-6.131-135/32
> 2014/05/01 15:08:21| Processing: acl ocr_dhcp src 10.3.1-6.201-230/32

These above lines contain invalid IP address ranges.

The ACL value format is: start [ '-' end ] [ '/' mask ]

Squid parses those using the operating system resolver which accepts
them silently and produces:

acl ocr_clinic src 10.3.0.2-6.0.0.101
acl ocr_exam src 10.3.0.2-6.0.0.111
acl ocr_va src 10.3.0.2-6.0.0.121
acl ocr_insurance src 10.3.1.101-10.3.1.110/32 10.3.1.161-10.3.1.170/32
acl ocr_admin src 10.3.1.121-10.3.1.130/32
acl ocr_study src 10.3.1.141-0.0.0.142
acl ocr_testing src 10.3.0.2-6.0.0.81
acl ocr_doctor_personal src 10.3.0.1-6.0.0.231
acl ocr_doctor_systems src 10.3.0.2-6.0.0.131
acl ocr_dhcp src 10.3.0.1-6.0.0.201

Similar thing in:
acl laz src 10.3.0.1-6.0.0.31

<snip>
> 2014/05/01 15:08:21| Processing Configuration File:
/etc/squid3/conf.d/ocr/ocr.access (depth 2)
> 2014/05/01 15:08:21| Processing: http_access allow ocr_gary all
> 2014/05/01 15:08:21| Processing: http_access deny adsites
> 2014/05/01 15:08:21| Processing: http_access deny adregex
> 2014/05/01 15:08:21| Processing: http_access allow laz all
> 2014/05/01 15:08:21| Processing: http_access allow ocr_dhcp all
> 2014/05/01 15:08:21| Processing: http_access allow ocr_study all
> 2014/05/01 15:08:21| Processing: http_access allow ocr_unrest_comps all
> 2014/05/01 15:08:21| Processing: http_access allow ocr_doctor_systems all
> 2014/05/01 15:08:21| Processing: http_access allow ocr_doctor_personal all
> 2014/05/01 15:08:21| Processing: http_access allow ocr_admin all
> 2014/05/01 15:08:21| Processing: http_access allow ocr_chen all
> 2014/05/01 15:08:21| Processing: http_access allow paravis all

NOTE: appending "all" to the end of allow rules for ACL types other than
proxy_auth and external is a useless waste of config loading time and
pre-request ACL processing CPU cycles.

> 2014/05/01 15:08:21| Processing: http_access allow ocr ocr_audiosites
> 2014/05/01 15:08:21| Processing: http_access allow ocr ocr_audio
> 2014/05/01 15:08:21| Processing: http_access allow ocr ocr_white
> 2014/05/01 15:08:21| Processing: http_access deny ocr all
> 2014/05/01 15:08:21| Processing: include /etc/squid3/conf.d/ocr/ocr.dl_bw
> 2014/05/01 15:08:21| Processing Configuration File:
/etc/squid3/conf.d/ocr/ocr.dl_bw (depth 2)
> 2014/05/01 15:08:21| Processing: delay_pools 7
> 2014/05/01 15:08:21| Processing: delay_class 1 3
> 2014/05/01 15:08:21| Processing: delay_access 1 allow ocr_unrest_doc
> 2014/05/01 15:08:21| Processing: delay_access 1 allow ocr_chen
> 2014/05/01 15:08:21| Processing: delay_access 1 allow ocr_doctor_personal
> 2014/05/01 15:08:21| Processing: delay_access 1 allow ocr_doctor_systems
> 2014/05/01 15:08:21| Processing: delay_access 1 deny all
> 2014/05/01 15:08:21| Processing: delay_parameters 1 2500000/2500000
2500000/2500000 2500000/2500000
> 2014/05/01 15:08:21| Processing: delay_class 2 3
> 2014/05/01 15:08:21| Processing: delay_access 2 allow ocr_gary
> 2014/05/01 15:08:21| Processing: delay_access 2 deny all
> 2014/05/01 15:08:21| Processing: delay_parameters 2 6200000/6200000
6200000/6200000 6200000/6200000
> 2014/05/01 15:08:21| Processing: delay_class 3 3
> 2014/05/01 15:08:21| Processing: delay_access 3 allow ocr_clinic
> 2014/05/01 15:08:21| Processing: delay_access 3 allow ocr_insurance
> 2014/05/01 15:08:21| Processing: delay_access 3 allow ocr_testing
> 2014/05/01 15:08:21| Processing: delay_access 3 allow ocr_study
> 2014/05/01 15:08:21| Processing: delay_access 3 deny all
> 2014/05/01 15:08:21| Processing: delay_parameters 3 1050000/1050000
1050000/1050000 1050000/1050000
> 2014/05/01 15:08:21| Processing: delay_class 4 3
> 2014/05/01 15:08:21| Processing: delay_access 4 allow ocr_exam
> 2014/05/01 15:08:21| Processing: delay_access 4 allow ocr_va
> 2014/05/01 15:08:21| Processing: delay_access 4 deny all
> 2014/05/01 15:08:21| Processing: delay_parameters 4 420000/420000
420000/420000 420000/420000
> 2014/05/01 15:08:21| Processing: delay_class 5 3
> 2014/05/01 15:08:21| Processing: delay_access 5 allow ocr_dhcp
> 2014/05/01 15:08:21| Processing: delay_access 5 deny all
> 2014/05/01 15:08:21| Processing: delay_parameters 5 800000/800000
800000/800000 800000/800000
> 2014/05/01 15:08:21| Processing: delay_class 6 3
> 2014/05/01 15:08:21| Processing: delay_access 6 allow ocr_admin
> 2014/05/01 15:08:21| Processing: delay_access 6 deny all
> 2014/05/01 15:08:21| Processing: delay_parameters 6 1300000/1300000
1300000/1300000 1300000/1300000
> 2014/05/01 15:08:21| Processing: delay_class 7 3
> 2014/05/01 15:08:21| Processing: delay_access 7 allow paravis
> 2014/05/01 15:08:21| Processing: delay_access 7 deny all
> 2014/05/01 15:08:21| Processing: delay_parameters 7 6200000/6200000
6200000/6200000 6200000/6200000
> 2014/05/01 15:08:21| Processing: include /etc/squid3/conf.d/ocr/ocr.ul_bw
> 2014/05/01 15:08:21| Processing Configuration File:
/etc/squid3/conf.d/ocr/ocr.ul_bw (depth 2)
> 2014/05/01 15:08:21| Processing: client_delay_pools 1
> 2014/05/01 15:08:21| Processing: client_delay_access 1 allow all
> 2014/05/01 15:08:21| Processing: client_delay_access 1 deny all

These two above lines contradict each other. The second will never be
applied.
I also note this is very different from the config you displayed
earlier as not working. Although the effects should be identical in both
configs.

> 2014/05/01 15:08:21| Processing: client_delay_parameters 1 2048 32000
> 2014/05/01 15:08:21| Processing: http_access deny !Safe_ports
> 2014/05/01 15:08:21| Processing: http_access deny CONNECT !SSL_ports
> 2014/05/01 15:08:21| Processing: http_access allow localhost manager
> 2014/05/01 15:08:21| Processing: http_access deny manager

This group of 4 http_access above should be up top above your local
rules. They exist so that CONNECT and known dangerous non-HTTP protocols
do not open security holes through the proxy.

> 2014/05/01 15:08:21| Processing: http_access allow localhost
> 2014/05/01 15:08:21| Processing: http_access deny all
> 2014/05/01 15:08:21| Processing: http_port 3128
> 2014/05/01 15:08:21| Processing: coredump_dir /var/spool/squid3
> 2014/05/01 15:08:21| Processing: refresh_pattern ^ftp: 1440
   20% 10080
> 2014/05/01 15:08:21| Processing: refresh_pattern ^gopher: 1440
   0% 1440
> 2014/05/01 15:08:21| Processing: refresh_pattern -i (/cgi-bin/|\?) 0
   0% 0
> 2014/05/01 15:08:21| Processing: refresh_pattern
(Release|Packages(.gz)*)$ 0 20% 2880
> 2014/05/01 15:08:21| Processing: refresh_pattern -i
\.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire
ignore-no-store ignore-private
> 2014/05/01 15:08:21| Processing: refresh_pattern -i
\.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000
override-expire ignore-no-store ignore-private
> 2014/05/01 15:08:21| Processing: refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200
override-expire ignore-no-store ignore-private

From the ACL names it looks like you have a few medical systems behind
this proxy?
Please take extreme care with the use of ignore-private,
ignore-no-store, and override-expire on content to/from those systems.

I have seen and heard about medical screwups (wrong prescriptions, wrong
diagnosis, and patient record mixups) caused by proxies caching
medically relevant information in direct contravention of the cache
control headers emitted by medical related software.
The .tif* and .bin file formats in particular are used for some medical
scan data due to resolution quality.

> 2014/05/01 15:08:21| Processing: refresh_pattern -i
\.index.(html|htm)$ 0 40% 10080
> 2014/05/01 15:08:21| Processing: refresh_pattern -i
\.(html|htm|css|js)$ 1440 40% 40320
> 2014/05/01 15:08:21| Processing: refresh_pattern . 0 40% 40320
> 2014/05/01 15:08:21| WARNING: use of 'override-expire' in
'refresh_pattern' violates HTTP
> 2014/05/01 15:08:21| WARNING: use of 'ignore-no-store' in
'refresh_pattern' violates HTTP
> 2014/05/01 15:08:21| WARNING: use of 'ignore-private' in
'refresh_pattern' violates HTTP
>

Amos
Received on Fri May 02 2014 - 07:29:02 MDT

This archive was generated by hypermail 2.2.0 : Fri May 02 2014 - 12:00:03 MDT