> > Consider merging multiple cache_peer_access rules for the same > cache_peer into one rule (using all-of and any-of ACLs).
That is a great tip, thanks! You can also outsource peer selection to an external ACL, leaving one > simple cache_peer_access rule (with a single note ACL) for each > cache_peer in squid.conf. Actually, I am already doing this, however, there is still a long list of cache_peer, cache_peer_access, cache_peer_deny rules, and note ACL rules, to make sure every user goes to the right place, as you mentioned this is not a CPU friendly approach either, so I will give serious thought about modifying the Squid code. Thank you, Roee. On Wed, Dec 22, 2021 at 8:53 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 12/22/21 11:56 AM, roee klinger wrote: > > > Currently, Squid is a bit problematic when dealing with many cach_peers, > > it requires a lot of configurations for each cach_peer, which makes the > > configuration file big and takes a performance toll. > > Consider merging multiple cache_peer_access rules for the same > cache_peer into one rule (using all-of and any-of ACLs). > > You can also outsource peer selection to an external ACL, leaving one > simple cache_peer_access rule (with a single note ACL) for each > cache_peer in squid.conf. > > And with some Squid code modifications, one can even let an external ACL > select the cache_peer to use without extra cache_peer_access checks. > This feature would be similar to the existing X-Next-Services routing > functionality in Squid adaptation code. > > Finally, one can invest into optimizing/fixing Squid code to eliminate > unnecessary repeated cache_peer_access checks, probably saving a lot of > CPU cycles for Squid instances with many (or complex) cache_peer_access > rules. > > > Cheers, > > Alex. > > > On Wed, Dec 22, 2021 at 6:44 PM Alex Rousskov wrote: > > > > On 12/22/21 11:29 AM, roee klinger wrote: > > > cache_peer 100.70.162.11 parent 16211 0 proxy-only default > > name=proxy16211 > > > cache_peer 100.70.162.12 parent 16212 0 proxy-only default > > name=proxy16212 > > > cache_peer 100.70.162.13 parent 16213 0 proxy-only default > > name=proxy16213 > > > acl peer_group_162 peername_regex -i proxy162.*\b > > > > > > Followed by: > > > cache_peer_access peer_group_162 allow admin162 > > > > According to documentation, the cache_peer_access directive requires > a > > peer name (or a peer host name) as the second parameter. Your > > configuration is using a string "peer_group_162", which is not a > name of > > any cache_peer. > > > > AFAICT, while you can use peername_regex to _match_ a group of > > cache_peers, you still have to name a specific peer as the second > > parameter of the cache_peer_access rule. That effectively defeats the > > purpose of using peername_regex in this case! It was wrong for me to > > point you in peername_regex direction. > > > > Your configuiration has to have at least one cache_peer_access rule > for > > each cache_peer. > > > > > > Sorry, > > > > Alex. > > > > > > > but I got an error: > > > ERROR: /etc/squid/conf.d/admin_allow_peer.conf, line 4: No > cache_peer > > > 'peer_group_162' > > > > > > Should I use http_access instead? I am not sure how to use it, > because > > > peer_group_162 is an ACL, not a cache_peer. > > > > > > Also, is my regex entry correct? I am not sure if \b is supported, > and > > > if I should add the -i flag or not. > > > > > > Thanks alot. > > > > > > On Wed, Dec 22, 2021 at 5:27 PM Alex Rousskov wrote: > > > > > > On 12/22/21 10:21 AM, roee klinger wrote: > > > > > > > I have a group of about 6 cache peers: > > > > > > > > cache_peer 100.70.162.11 parent 16211 0 proxy-only > default > > > name=proxy16211 > > > > cache_peer 100.70.162.12 parent 16212 0 proxy-only > default > > > name=proxy16212 > > > > cache_peer 100.70.162.13 parent 16213 0 proxy-only > default > > > name=proxy16213 > > > > > > > > cache_peer 100.70.163.11 parent 16311 0 proxy-only > default > > > name=proxy16311 > > > > cache_peer 100.70.163.12 parent 16312 0 proxy-only > default > > > name=proxy16312 > > > > cache_peer 100.70.163.13 parent 16313 0 proxy-only > default > > > name=proxy16313 > > > > > > > > > > > > I would like to allow user162_acl access only to the peers > > that ... > > > > have a name that starts with proxy162 > > > > > > According to documentation, a peername_regex ACL can do what > > you want. > > > > > > Alex. > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org> > > > <mailto:squid-users@lists.squid-cache.org > > <mailto:squid-users@lists.squid-cache.org>> > > > http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users> > > > <http://lists.squid-cache.org/listinfo/squid-users > > <http://lists.squid-cache.org/listinfo/squid-users>> > > > > > > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
