Re: [squid-users] cache_peer selection
On 13/05/2023 2:53 am, Alex Rousskov wrote: On 5/12/23 07:28, Alexeyяр Gruzdov wrote: Hello Guys! Thank you for your help that was before! Could you explain somethings - For example I have a five cache_peer servers peer1 peer2 peer3 peer4 And users like: User-100 User-101 For forwarding requests over existed cache_peer I use an external ACL and "note" option - all works well. Now I'd like to implement the next logic: This is something like a failover of specified cache_peers for specified user. One trick I use is to list each cache_peer twice (like: A1, B1, C1, A2 , B2, C2). Just use a different name= parameter for each cache_peer line. That way I can "loop" the order when I want A,B to be a failover from C. Like this: C1, A2, B2. HTH Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection
On 5/12/23 07:28, Alexeyяр Gruzdov wrote: Hello Guys! Thank you for your help that was before! Could you explain somethings - For example I have a five cache_peer servers peer1 peer2 peer3 peer4 And users like: User-100 User-101 For forwarding requests over existed cache_peer I use an external ACL and "note" option - all works well. Now I'd like to implement the next logic: This is something like a failover of specified cache_peers for specified user. If your external ACL can tell whether the peer has "failed", then the external ACL can annotate the transaction not to use that failed peer. Otherwise, what you want may be possible using complex ACL tricks, but I am not sure, and do not have the time to explain/test those tricks. In short, you would need to create ACLs that detect peer selection stage[1] and select a different peer during different stages. [1] https://wiki.squid-cache.org/Features/LoadBalance#go-through-a-peer FWIW, dynamic peer selection with failover preference support is a known missing feature. Factory has implemented that feature[2], but we need more time to polish and submit our implementation for the official Squid Project consideration. With that feature, there is no need for the complex ACLs mentioned above because the ACL script simply tells Squid which peers to use for the transaction, in which failover order. [2] https://github.com/measurement-factory/squid/pull/169 For example: We send User-100 over peer1, if peer1 is failed - that User-100 must to go over peer2. Without code modifications, the above example will work because Squid will prefer peer1 to peer2, assuming that, in squid.conf, the cache_peer directive for peer1 is listed higher/earlier than that for peer2. For User-101 - something like - primary will be peer4, if its failed User-101 must to go over peer3. However, this example will _not_ work by default, for the same reason: When both peers are alive, Squid will prefer peer3 over peer4. HTH, Alex. its something like primary and multiple of backup of cache_peer etc Thank you ! Alexg ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] cache_peer selection
Hello Guys! Thank you for your help that was before! Could you explain somethings - For example I have a five cache_peer servers peer1 peer2 peer3 peer4 And users like: User-100 User-101 For forwarding requests over existed cache_peer I use an external ACL and "note" option - all works well. Now I'd like to implement the next logic: This is something like a failover of specified cache_peers for specified user. For example: We send User-100 over peer1, if peer1 is failed - that User-100 must to go over peer2. For User-101 - something like - primary will be peer4, if its failed User-101 must to go over peer3. its something like primary and multiple of backup of cache_peer etc Thank you ! Alexg ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
Hey Amos, Thanks, I fixed the keys with the proper "_" character. Seems like I was in a hurry and did some config mistakes, "proxy0.2" and "proxy0.3" are supposed to be "proxy1" and "proxy2". Regarding the helper, I also forgot to mention, I am using 2 helpers, one for IP whitelisting and one for username authentication, in the example I provided I am using IP whitelisting, the naming is wrong, please see the fixed config. acl mynote1 note mykey_ note1 acl mynote2 note mykey_ note2 external_acl_type IP_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh acl whitelisted_IP external IP_whitelist_external http_access allow whitelisted_IP nonhierarchical_direct off never_direct allow all cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 cache_peer_access proxy1 allow mynote1 cache_peer_access proxy1 deny all cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 cache_peer_access proxy2 allow mynote2 cache_peer_access proxy2 deny all Then, on the external helper, I return one of these two: OK mykey=note1 OK mykey=note2 For the authentication helper, I did not look into it but contrary to my belief it seems auth_param does not support defined keywords, so I guess I will have to follow your advice by adding %un to my user_whitelist_external helper, is there any way to do this with auth_param? what exactly do you mean to send it as a group name? Roee. On Tue, Jan 12, 2021 at 11:59 AM Amos Jeffries wrote: > On 12/01/21 9:17 pm, Eliezer Croitoru wrote: > > Hey Amos, > > > > One thing that the auth helper cannot do with this note is the ttl. > > The auth ttl is different then the request IP binding/routing. > > That can be added in via the the key_extras detail. > > Though I am still worried that the OP *only* asked about routing by > "username" then their apparently working solution has nothing to do with > users or usernames at all. > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
On 12/01/21 9:17 pm, Eliezer Croitoru wrote: Hey Amos, One thing that the auth helper cannot do with this note is the ttl. The auth ttl is different then the request IP binding/routing. That can be added in via the the key_extras detail. Though I am still worried that the OP *only* asked about routing by "username" then their apparently working solution has nothing to do with users or usernames at all. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
Hey Amos, One thing that the auth helper cannot do with this note is the ttl. The auth ttl is different then the request IP binding/routing. With separated auth and external_acl helper you can change/apply a note/rule/acl in a lower ttl ie 3 seconds which can be critical to some applications. If one ip goes down for any reason you can change the routing. I would have expected for the note to stick if the ttl is either 0 or 1 for the relevant session. This so we would rely on the helper to be "live" helper per request. I know that 0-3 is almost the same like 0-5 but some prefer to use 0-1. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: squid-users On Behalf Of Amos Jeffries Sent: Tuesday, January 12, 2021 3:46 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] cache_peer selection based on username On 11/01/21 8:06 am, roee klinger wrote: > Thanks, Eliezer, I was able to get it working. > Here is an example in case anybody runs into this in the future: > > acl mynote1 note mykey note1 > acl mynote2 note mykey note2 > FYI, key names ending with "_" character are reserved for custom keys like this. > external_acl_type user_whitelist_external children-max=20 ttl=300 > %>lp %>a script.sh NP: this does not check for users or authenticated traffic at all. It is only using the client-IP and Squid receiving port number. To meet the earlier stated requirement about authenticated traffic the helper format should contain %un. The lines below should follow the http_access rules doing authentication checks. You could also have the helper doing authentication send the notes to Squid. eg as a group name. > acl whitelisted_users external user_whitelist_external > http_access allow whitelisted_users > > nonhierarchical_direct off > never_direct allow all > cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 > cache_peer_access proxy1 allow mynote1 > cache_peer_access proxy0.2 deny all > cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 > cache_peer_access proxy2 allow mynote2 > cache_peer_access proxy0.3 deny all > NP: there is no peer named "proxy0.2" or "proxy0.3" so those deny lines are not doing anything. The only reason this config does what it appears at first glance to do, is that the inverted default for the prox1 and proxy2 peer access rules default is deny. > > Then, on the external helper, I return one of these two: > > OK mykey=note1 > OK mykey=note2 > > Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
On 11/01/21 8:06 am, roee klinger wrote: Thanks, Eliezer, I was able to get it working. Here is an example in case anybody runs into this in the future: acl mynote1 note mykey note1 acl mynote2 note mykey note2 FYI, key names ending with "_" character are reserved for custom keys like this. external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh NP: this does not check for users or authenticated traffic at all. It is only using the client-IP and Squid receiving port number. To meet the earlier stated requirement about authenticated traffic the helper format should contain %un. The lines below should follow the http_access rules doing authentication checks. You could also have the helper doing authentication send the notes to Squid. eg as a group name. acl whitelisted_users external user_whitelist_external http_access allow whitelisted_users nonhierarchical_direct off never_direct allow all cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 cache_peer_access proxy1 allow mynote1 cache_peer_access proxy0.2 deny all cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 cache_peer_access proxy2 allow mynote2 cache_peer_access proxy0.3 deny all NP: there is no peer named "proxy0.2" or "proxy0.3" so those deny lines are not doing anything. The only reason this config does what it appears at first glance to do, is that the inverted default for the prox1 and proxy2 peer access rules default is deny. Then, on the external helper, I return one of these two: OK mykey=note1 OK mykey=note2 Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
In the next example I wrote a whole setup:
https://github.com/elico/vagrant-squid-outgoing-addresses
Specifically it would look something like:
https://github.com/elico/vagrant-squid-outgoing-addresses/blob/master/shared/note.rb#L82
it’s as a line like:
echo “OK x_note=100 ip=100”
The in squid use an acl like this:
https://github.com/elico/vagrant-squid-outgoing-addresses/blob/9221a73394ced582fec84bc42abfaae3c9a364b3/shared/collect-32-subnet-addresses.rb#L17
ie:
echo "acl #{ip_map[key]} note ip #{acl_name.match(/([0-9]+)/)[1]}" |tee -a
/etc/squid/conf.d/acl-to-ip.conf
It’s better to run the lab and see the content of the conf files to understand
it.
You will need VirtualBox and Vagrant to power up this lab.
Later I might be able to record a video of this but not sure yet about this.
Eliezer
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
Zoom: Coming soon
From: roee klinger
Sent: Sunday, January 10, 2021 5:51 PM
To: squid-users@lists.squid-cache.org
Cc: Eliezer Croitoru
Subject: Re: [squid-users] cache_peer selection based on username
So basically I return a note with the “OK” response, which can be any string,
for example “100”.
Then, I can use “100” as a normal ACL in squid.conf?
Thanks
On Jan 10, 2021, at 17:36, Eliezer Croitoru mailto:ngtech1...@gmail.com> > wrote:
You should use a note acl for that.
When you return the whitelisted client you should add a note which can be 1-100
or any other static string.
It works just out of the box.
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>
Zoom: Coming soon
From: squid-users mailto:squid-users-boun...@lists.squid-cache.org> > On Behalf Of roee klinger
Sent: Sunday, January 10, 2021 5:33 PM
To: squid-users@lists.squid-cache.org
<mailto:squid-users@lists.squid-cache.org>
Subject: [squid-users] cache_peer selection based on username
Hey,
I am trying to figure out the best way to select cache peers based on the
client username, I have read extensively but I cannot figure out the best way
to do it.
so far I have:
external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a
script.sh
acl whitelisted_users external user_whitelist_external
http_access allow whitelisted_users
and:
nonhierarchical_direct off
never_direct allow all
cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
cache_peer_access proxy1 allow whitelisted_users
cache_peer_access proxy0.2 deny all
cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
cache_peer_access proxy2 allow whitelisted_users
cache_peer_access proxy0.3 deny all
ideally, script.sh checks if the request is authinticated and if it is, it
selects the cache peer to use, is there some kind of way to achieve this with
"Defined keywords" to select which cache peer to use or am I looking at this
the wrong way?
What would be the best way to accomplish this?
___
squid-users mailing list
squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
Squid provides the acl login or username. http://www.squid-cache.org/Doc/config/acl/ should have maybe ident. you will need to include a usernames file which contains them. I believe a note in a helper should do that better. Eliezer On Sun, Jan 10, 2021, 17:33 roee klinger wrote: > Hey, > > I am trying to figure out the best way to select cache peers based on the > client username, I have read extensively but I cannot figure out the best > way to do it. > > so far I have: > > external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a > script.sh > acl whitelisted_users external user_whitelist_external > http_access allow whitelisted_users > > > and: > > nonhierarchical_direct off > never_direct allow all > cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 > cache_peer_access proxy1 allow whitelisted_users > cache_peer_access proxy0.2 deny all > cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 > cache_peer_access proxy2 allow whitelisted_users > cache_peer_access proxy0.3 deny all > > ideally, script.sh checks if the request is authinticated and if it is, it > selects the cache peer to use, is there some kind of way to achieve this > with "Defined keywords" to select which cache peer to use or am I looking > at this the wrong way? > > What would be the best way to accomplish this? > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
Thanks, Eliezer, I was able to get it working. Here is an example in case anybody runs into this in the future: acl mynote1 note mykey note1 acl mynote2 note mykey note2 external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh acl whitelisted_users external user_whitelist_external http_access allow whitelisted_users nonhierarchical_direct off never_direct allow all cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 cache_peer_access proxy1 allow mynote1 cache_peer_access proxy0.2 deny all cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 cache_peer_access proxy2 allow mynote2 cache_peer_access proxy0.3 deny all Then, on the external helper, I return one of these two: OK mykey=note1 OK mykey=note2 On Sun, Jan 10, 2021 at 5:36 PM Eliezer Croitoru wrote: > You should use a note acl for that. > > When you return the whitelisted client you should add a note which can be > 1-100 or any other static string. > > > > It works just out of the box. > > > > > > Eliezer Croitoru > > Tech Support > > Mobile: +972-5-28704261 > > Email: ngtech1...@gmail.com > > Zoom: Coming soon > > > > > > *From:* squid-users *On > Behalf Of *roee klinger > *Sent:* Sunday, January 10, 2021 5:33 PM > *To:* squid-users@lists.squid-cache.org > *Subject:* [squid-users] cache_peer selection based on username > > > > Hey, > > > > I am trying to figure out the best way to select cache peers based on the > client username, I have read extensively but I cannot figure out the best > way to do it. > > > > so far I have: > > external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a > script.sh > > acl whitelisted_users external user_whitelist_external > > http_access allow whitelisted_users > > > > and: > > nonhierarchical_direct off > > never_direct allow all > > cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 > > cache_peer_access proxy1 allow whitelisted_users > > cache_peer_access proxy0.2 deny all > > cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 > > cache_peer_access proxy2 allow whitelisted_users > > cache_peer_access proxy0.3 deny all > > > > ideally, script.sh checks if the request is authinticated and if it is, it > selects the cache peer to use, is there some kind of way to achieve this > with "Defined keywords" to select which cache peer to use or am I looking > at this the wrong way? > > > > What would be the best way to accomplish this? > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
So basically I return a note with the “OK” response, which can be any string, for example “100”. Then, I can use “100” as a normal ACL in squid.conf? Thanks > On Jan 10, 2021, at 17:36, Eliezer Croitoru wrote: > > > You should use a note acl for that. > When you return the whitelisted client you should add a note which can be > 1-100 or any other static string. > > It works just out of the box. > > > Eliezer Croitoru > Tech Support > Mobile: +972-5-28704261 > Email: ngtech1...@gmail.com > Zoom: Coming soon > > > From: squid-users On Behalf Of > roee klinger > Sent: Sunday, January 10, 2021 5:33 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] cache_peer selection based on username > > Hey, > > I am trying to figure out the best way to select cache peers based on the > client username, I have read extensively but I cannot figure out the best way > to do it. > > so far I have: > external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a > script.sh > acl whitelisted_users external user_whitelist_external > http_access allow whitelisted_users > > and: > nonhierarchical_direct off > never_direct allow all > cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 > cache_peer_access proxy1 allow whitelisted_users > cache_peer_access proxy0.2 deny all > cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 > cache_peer_access proxy2 allow whitelisted_users > cache_peer_access proxy0.3 deny all > > ideally, script.sh checks if the request is authinticated and if it is, it > selects the cache peer to use, is there some kind of way to achieve this with > "Defined keywords" to select which cache peer to use or am I looking at this > the wrong way? > > What would be the best way to accomplish this? > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection based on username
You should use a note acl for that. When you return the whitelisted client you should add a note which can be 1-100 or any other static string. It works just out of the box. Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: <mailto:ngtech1...@gmail.com> ngtech1...@gmail.com Zoom: Coming soon From: squid-users On Behalf Of roee klinger Sent: Sunday, January 10, 2021 5:33 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] cache_peer selection based on username Hey, I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it. so far I have: external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh acl whitelisted_users external user_whitelist_external http_access allow whitelisted_users and: nonhierarchical_direct off never_direct allow all cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 cache_peer_access proxy1 allow whitelisted_users cache_peer_access proxy0.2 deny all cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 cache_peer_access proxy2 allow whitelisted_users cache_peer_access proxy0.3 deny all ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way? What would be the best way to accomplish this? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] cache_peer selection based on username
Hey, I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it. so far I have: external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh acl whitelisted_users external user_whitelist_external http_access allow whitelisted_users and: nonhierarchical_direct off never_direct allow all cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 cache_peer_access proxy1 allow whitelisted_users cache_peer_access proxy0.2 deny all cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 cache_peer_access proxy2 allow whitelisted_users cache_peer_access proxy0.3 deny all ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way? What would be the best way to accomplish this? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] cache_peer selection
Dieter Bloms wrote: Hi, On Wed, Jan 27, Soporte Técnico AlemNet wrote: How can i make cache_peer selection for blocks of ip of my network ? Example. 192.168.0.xxx i want to use cache_peer 172.16.1.1 192.168.1.xxx i want to use cache_peer 172.16.1.2 192.168.1.xxx i want to use DIRECT this has to be done in the browser (not proxy). A proxy.pac file may help you. Have a look at http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html No Dieter. Read again.. :) cache_peer selection by source is done with src type ACLs and cache_peer_access. As described in the FAQ and configuration file documentation http://wiki.squid-cache.org/SquidFaq/SquidAcl http://www.squid-cache.org/Doc/config/cache_peer_access/ Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
[squid-users] cache_peer selection
How can i make cache_peer selection for blocks of ip of my network ? Example. 192.168.0.xxx i want to use cache_peer 172.16.1.1 192.168.1.xxx i want to use cache_peer 172.16.1.2 192.168.1.xxx i want to use DIRECT any help ?
Re: [squid-users] cache_peer selection
Hi, On Wed, Jan 27, Soporte Técnico AlemNet wrote: How can i make cache_peer selection for blocks of ip of my network ? Example. 192.168.0.xxx i want to use cache_peer 172.16.1.1 192.168.1.xxx i want to use cache_peer 172.16.1.2 192.168.1.xxx i want to use DIRECT this has to be done in the browser (not proxy). A proxy.pac file may help you. Have a look at http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/web-browser-auto-proxy-configuration.html -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
