Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

always_direct?

2 views
Skip to first unread message

Clifton Royston

unread,
Dec 13, 1999, 3:00:00 AM12/13/99
to Roddy Strachan
On Fri, Dec 10, 1999 at 04:27:08PM +1100, Roddy Strachan wrote:
> > This causes Squid to go direct for any request for the server
> > www.satlink.com.au, as you intended. However, it sounds like you have
> > other web servers that you want included in your definition of "local
> > servers"; you can cover your whole Class C address:
> >
> > acl local-servers dst xxx.yyy.zzz.aaa/255.255.255.0
>
> Hi,
> Kendall, legend ;), thanks mate its working a treat.

There's a "gotcha" on this. If Squid starts getting busy, since it
gets DNS lookups by name, it will not have time to complete them, and
therefore if it gets requests for a virtual server you run locally
it'll fetch them and cache them before realizing they're local.

Ideally, you also need a series of other acls, like:
acl local-domains dst-domain www.mydomain1.com.au
acl local-domains dst-domain www.mydomain2.org
etc.

And if someone moves a domain to your site, you would want to also
purge any old data you've already got cached for that domain, which
AFAIK there is no single command to do.

I'm still figuring out how to best handle this - we've got 600+ domains
hosted here, with some moving on or off our network almost daily, and
it would be a colossal pain to maintain all that by hand, but an equal
one to have stale data cached or be caching unnecessarily for web sites
we host here. How do other mid-sized ISPs handle this?
-- Clifton

--
Clifton Royston -- LavaNet Systems Architect -- clif...@lava.net
"An absolute monarch would be absolutely wise and good.
But no man is strong enough to have no interest.
Therefore the best king would be Pure Chance.
It is Pure Chance that rules the Universe;
therefore, and only therefore, life is good." - AC


Henrik Nordstrom

unread,
Dec 13, 1999, 3:00:00 AM12/13/99
to Clifton Royston
Clifton Royston wrote:

> There's a "gotcha" on this. If Squid starts getting busy, since it
> gets DNS lookups by name, it will not have time to complete them, and
> therefore if it gets requests for a virtual server you run locally
> it'll fetch them and cache them before realizing they're local.

Not on always_direct. It is a fullblown ACL check.

cache_peer_access and no_cache is another issue however. Both are
utterly unreliable if you rely on DNS data.

If you need DNS data in no_cache then I have a patch which makes it
perform a full blown ACL check capable of waiting for DNS data or
whatever may be required.

--
Henrik Nordstrom
Squid hacker
http://hem.passagen.se/hno/squid/


Kendall Lister

unread,
Dec 13, 1999, 3:00:00 AM12/13/99
to Clifton Royston
On Fri, 10 Dec 1999, Clifton Royston wrote:

> > > acl local-servers dst xxx.yyy.zzz.aaa/255.255.255.0


>
> There's a "gotcha" on this. If Squid starts getting busy, since it
> gets DNS lookups by name, it will not have time to complete them, and
> therefore if it gets requests for a virtual server you run locally
> it'll fetch them and cache them before realizing they're local.

Good point. It might be best to catch these requests before they even get
to Squid - if you're running transparent proxying you can add in rules to
let your local net avoid the redirection, or if you are using proxy
auto-configuration your proxy.pac function could check to see whether each
request is local or not:

function FindProxyForURL(url, host) {
if (isPlainHostName(host) ||
dnsDomainIs(host, ".satlink.com.au") ||
dnsDomainIs(host, ".local1.net.au") ||
dnsDomainIs(host, ".local2.com.au") ||
dnsDomainIs(host, ".local3.org.au")) {
return "DIRECT";
}
else if (url.substring(0, 5) == "http:" ||
url.substring(0, 4) == "ftp:" ||
url.substring(0, 6) == "https:" ) {
return "PROXY proxy.satlink.com.au:3128; DIRECT";
}
else {
return "DIRECT";
}
}

This might a feasible solution.

The problem of managing all these entries, whether they are in squid.conf
or somewhere else, can be solved by having a tiny script that builds your
squid.conf from several pieces:

#!/bin/sh
cat squid.conf.top hosted_domain_acls squid.conf.bottom > squid.conf

Then you have a file that contains only your hosted domains, and a simple
command to reconstruct your squid.conf whenever it changes.

Sorry for the length of this post - hope it helps someone.

--
Kendall Lister, Systems Operator for Charon I.S. - ken...@charon.net.au
Charon Information Services - Friendly, Cheap Melbourne ISP: 9589 7781


Roddy Strachan

unread,
Dec 13, 1999, 3:00:00 AM12/13/99
to Squid Users List
Hi,
Ok thanks Hendrik for the pointers on this command, i have in
there :

acl local-servers dstdomain www.satlink.com.au
always_direct allow local-servers

Now that will look to the local server for the file, as we dont cache any
of our sites using the no_cache option, we have the class of /24 so it
won't cache them, is there anyway to have it in always_direct as
this? Rather than having to put in all our local sites? Or is there an
easier way that what I am looking at?

Ta


---------------------------------------------------------------------
Roddy Strachan Email - ro...@satlink.com.au
Network/Systems Administrator ICQ - 1987890
Satlink Internet Services Ph. - +61-3-9775-2600
www.straks.satlink.com.au Fax. - +61-3-9775-2456
---------------------------------------------------------------------


Roddy Strachan

unread,
Dec 13, 1999, 3:00:00 AM12/13/99
to Kendall Lister
> This causes Squid to go direct for any request for the server
> www.satlink.com.au, as you intended. However, it sounds like you have
> other web servers that you want included in your definition of "local
> servers"; you can cover your whole Class C address:
>
> acl local-servers dst xxx.yyy.zzz.aaa/255.255.255.0

Hi,
Kendall, legend ;), thanks mate its working a treat.

Richard Archer

unread,
Dec 13, 1999, 3:00:00 AM12/13/99
to Roddy Strachan, Squid Users List
At 14:28 +1100 10/12/99, Roddy Strachan wrote:

>we have the class of /24 so it
>won't cache them, is there anyway to have it in always_direct as
>this? Rather than having to put in all our local sites?

You can force squid to go direct to all servers in your C with:

acl local-net dst 203.19.222.0/255.255.255.0
always_direct allow local-net

Be aware though that this makes squid perform a DNS lookup on all queries,
as it needs to convert the hostname from the URL into an IP address so it
can compare it with local-net. This can slow things down considerably if
DNS is slow (and it often is from Oz).

You can avoid the lookups by specifying all hosts in your C in an
'acl X dstdomain xxx.satlink.com.au' line.

Note that the 'acl X dstdom_regex -i satlink.com.au' option can make this
a little less tedious, but locally hosted domains all need to be specified
individually.

...R.

Kendall Lister

unread,
Dec 13, 1999, 3:00:00 AM12/13/99
to Roddy Strachan
On Fri, 10 Dec 1999, Roddy Strachan wrote:

> Ok thanks Hendrik for the pointers on this command, i have in there :
>
> acl local-servers dstdomain www.satlink.com.au
> always_direct allow local-servers

> Now that will look to the local server for the file, as we dont cache

> any of our sites using the no_cache option, we have the class of /24


> so it won't cache them, is there anyway to have it in always_direct as

> this? Rather than having to put in all our local sites? Or is there
> an easier way that what I am looking at?

This causes Squid to go direct for any request for the server


www.satlink.com.au, as you intended. However, it sounds like you have
other web servers that you want included in your definition of "local
servers"; you can cover your whole Class C address:

acl local-servers dst xxx.yyy.zzz.aaa/255.255.255.0

Check the default squid.conf for plenty of examples.

0 new messages