On 2026-03-19 09:20, Andrey K wrote:
Hello,
I'd be curious to know, is the dstdomain ACL evaluated once per
transaction or every time it occurs in the policy?
In general, the short answer to your question is "neither".
An ACL named "x" is evaluated every time Squid reaches ACL name "x"
while evaluating an ACL-driven directive rule.
Squid may use the same directive for the same transaction multiple
times. For example, ssl_bump may be used three times. Most directives
are used zero or one time per transaction though.
directiveA allow x y z
directiveA deny !x
directiveA allow all
directiveA allow w
For example, in the above configuration, ACL named "x" may be evaluated
for a given transaction:
* zero times if that transaction never uses directiveA
* one time if it x, y, and z match and the transaction uses directiveA
only once
* two times if it x, y, or z do not match and the transaction uses
directiveA only once
* more times in some other cases
Note that ACL name "w" is not evaluated at all in the above example
unless it is reached in some other directiveB that this transaction uses.
For example, in the following simplified policy, will the Squid go
through the long list of bank-sites once or six times?
acl bank-sites dstdomain bank-sites.txt
acl user1 proxy_auth user1
acl user2 proxy_auth user2
acl user3 proxy_auth user3
http_access allow user1 bank-sites
http_access allow user2 bank-sites
http_access deny user3 bank-sites
ssl_bump splice user1 bank-sites
ssl_bump bump user2 bank-sites
ssl_bump terminate user3 bank-sites
I will simplify to reduce noise:
> http_access allow user1 bank-sites
> ssl_bump splice user1 bank-sites
For a user1 transaction, Squid will usually evaluate bank-sites twice,
once during http_access check and once during step1 ssl_bump check.
For a non-user1 transaction, Squid will not evaluate bank-sites.
I believe that the ACL is calculated only once and the result is reused.
No, there is no "caching" or "reuse" of ACL evaluation results.
There is "caching" of external ACL helper responses, but that is a
somewhat different matter: An external ACL is still evaluated as
described in the beginning of this email, regardless of whether that
evaluation uses a cached helper response.
How do you think, would it be more efficient to use annotations, like in
the following example?
acl bank-sites dstdomain bank-sites.txt
acl user1 proxy_auth user1
acl user2 proxy_auth user2
acl user3 proxy_auth user3
acl annotate_banks annotate_client categories+=bank
acl is_bank note categories bank
# evaluate bank-sites just once and annotate a connection
http_access deny bank-sites annotate_banks !all
http_access allow user1 is_bank
http_access allow user2 is_bank
http_access deny user3 is_bank
ssl_bump splice user1 is_bank
ssl_bump bump user2 is_bank
ssl_bump terminate user3 is_bank
Yes, the above should be more efficient, assuming "is_bank" evaluates
much faster than "bank-sites" (because "note" ACLs are quite cheap and
ACLs with address conversions and a very long list of parameters are
usually expensive).
However, please note that, in many use cases, your optimized example is
not equivalent in terms of allow/deny decisions to your non-optimized
example because the former makes the "is a bank" decision once per
connection while the latter makes that decision for each request. If you
want them to be equivalent, use annotate_transaction instead of
annotate_client.
HTH,
Alex.
HTH,
Alex.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
