Dan Moore
Wed, 26 Dec 2007 10:13:46 -0800
Hi folks,Is there any way to tell squid to cache all requests for a page, except for any pages that are requested by a user with a certain cookie?
I am using Squid 2.6, stable 17. I am trying to set up a reverse proxy to accelerate a client's website. After reading the conf file and the ReverseProxy faq page, I have it almost set up correctly. (This is my first squid installation.) I can see squid caching requests and the files in the cache directory being written.
It's a simple configuration, with just one squid proxy in front of one application server (Apache/Tomcat combination, which uses apache virtual hosts), although if this works well in dealing with load, we might use more than one proxy.
There are certain urls (like the login/logout response pages) that should never be cached. I can do that with this line in the squid.conf:
acl LOGOUT_LOGIN_REQUEST urlpath_regex Login.do cache deny LOGOUT_LOGIN_REQUESTHowever, when a user is logged in, I don't want to cache anything--for that user.
Originally, I was using acl LOGGEDIN_SESS req_header Cookie [[:space:]]l= cache deny LOGGEDIN_SESSWhere the cookie with the name 'l' indicates a user has logged in. (There's another cookie that indicates that a user has logged in as well.)
However, while this works, it appears to remove any pages the user visits from the cache (for everyone else) as well. That's not what I intended, but on reading the docs, it seems entirely reasonable: this ACL "cause[s] the request to not be satisfied from the cache and the reply to not be cached."
A bit more searching revealed the always_direct header, which I can use to force squid to direct certain requests to the origin server.
acl LOGGEDIN_SESS req_header Cookie [[:space:]]l= always_direct allow LOGGEDIN_SESSI thought that would work, as always sending the request to the origin server is exactly what I wanted. However, I'm getting a 504 error in the browser when a user is logged in and requests a page. In the access log, I see this: "TCP_CLIENT_REFRESH_MISS:DIRECT" in the access logs. According to http://wiki.squid-cache.org/SquidFaq/SquidLogs, 'DIRECT' means that "The object was fetched from the origin server". But it was not returned to the user. However, the parent does not show the request in its logs, even though it is specified as the 'originserver' in the cache_peer line.
Should I turn on any particular debugging? I turned on all debugging to level 8, and saw this message in the logs (twice):
2007/12/26 10:37:51| WARNING: Forwarding loop detected for: 2007/12/26 10:37:51| storeCreateEntry: 'http://stage.chfops.net/'Googling on that error message revealed that this message happens whenever Squid seems the same request twice. I theorize that squid gets the request for stage.chfops.net, views the request header, sees that it should direct to the origin server, and directs to stage.chfops.net (rather than reading in the cache_peer line that says that the origin server is 65.xxx.xxx.xxx and forwarding to that server), which is how the loop happens.
I read through the FAQ pages and didn't see anything that seemed to apply, except for the always_direct directive. I googled for always_direct and "reverse proxy" but didn't see anything. Same results with searching the squid-users list.
Any ideas or pointers would be appreciated. If what I want to do just can't be done, I'd appreciate knowing that too.
Thanks for any pointers, DanPS Below is the full text of my squid.conf, configured such that logged in users get the 504 error (comments, whitespace removed).
-------------- acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl CONNECT method CONNECT acl our_sites dstdomain stage.chfops.net http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow our_sites http_access deny all icp_access allow all http_port 80 accel vhost cache_peer 65.38.188.180 parent 80 0 no-query originserver login=PASS hierarchy_stoplist cgi-bin ? acl GWT_RPC urlpath_regex /rs/ cache deny GWT_RPC acl WRITE_REQUESTS urlpath_regex /rw/ cache deny WRITE_REQUESTS acl REG_WRITE_REQUESTS urlpath_regex Register.do cache deny REG_WRITE_REQUESTS acl LOGOUT_LOGIN_REQUEST urlpath_regex Login.do cache deny LOGOUT_LOGIN_REQUEST cache_mem 200 MB maximum_object_size_in_memory 160 KB cache_dir ufs /var/cache/squid/cache 3500 16 256logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined debug_options ALL,1 20,9 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_effective_user nobody acl LOGGEDIN_PERS req_header Cookie [[:space:]]Password= always_direct allow LOGGEDIN_PERS acl LOGGEDIN_SESS req_header Cookie [[:space:]]l= always_direct allow LOGGEDIN_SESS coredump_dir /var/spool/squid --------------