LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-31-2009, 01:48 AM   #1
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 155

Rep: Reputation: 18
external_acl_type Squid, cannot understand options


Hi, can someone help me on understanding external_acl_type directive in Squid proxy.

For example what does mean TTL, to be precise I have this ina my squid conf
Code:
external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %SRC /usr/local/bin/squid_session -t 300 
acl session external session
http_access deny !session
deny_info prviput session
And it work great , when user tries to surf the net every request isdenied and "welcome page" is displayed after hitting refresh he can use internet.

BUT I don understand what this ACL do . TTL=300 NEGATIVE_TTL=0 , what those options do?

I read the manual but cannot figure out . . .
 
Old 05-31-2009, 02:15 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
ACL = access control list, TTL = time to live, NEGATIVE_TTL = negative time to live (like time to live but for failed transactions - how long do you cache the 404 page not found screen?)

Your question suggests that you need to review the basics on how squid works and what it does.
http://www.linuxdevcenter.com/pub/a/.../26/squid.html
http://www.visolve.com/squid/Squid_tutorial.php
http://www.visolve.com/squid/squid24s1/tuning.php
... the first two are basic configuration tutorials - since that seems to be the area of your immediate problem. The last one is a manual which covers the concepts in more detail. While it is possible to get a long way on cut-and-paste, there is no substitute for understanding your tools.
 
Old 06-01-2009, 08:34 AM   #3
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 155

Original Poster
Rep: Reputation: 18
I have read this couple of times, still it does not explain what options I pasted mean. For example what will happen if I increase TTL value or negatice ttl value?
 
Old 06-01-2009, 11:10 AM   #4
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Quote:
I have read this couple of times, still it does not explain what options I pasted mean.
What have you read a couple of times?
Did you go through the links?

It's not supposed to explain the options you posted - you are supposed to read the references I supplied. One of the characteristics of free support is that I get to give you the advise you need instead of what you asked for. What has happened is that your question shows that you need to go back to reviewing the basics. Do that and you'll better understand what the options are.

How about this one:
http://www.squid-cache.org/
... the official site has a lot of resources to help your understanding.

Many elements of squids operation have a "time to live" value associated with it. This is usually to prevent loops or bad repeats. Exactly what it does depends on the context. Lets see if I can spell it out for the example above:

external_acl_type
... this is defining an external access control list - controlled by a third party program. The rest of the entry says under what conditions it should run and what program to run.

session
... this is the name of the type

ttl=300 ... how long positive acl results are kept for - 5mins. This means that if authenticate by this list, then revoke the account, you can continue surfing for 5 mins.

negative_ttl=0 ... how long negative results are kept - i.e. not at all. So you can attempt to re-authenticate immediately after a fail.

children=1 ... it can open one child process - probably the list software itself.

concurrency=200 ... up to 200 results kept at the same time(?unsure)

%SRC ... format of the list - there are others.

/usr/local/bin/squid_session
... this is the program to run

-t 300
... these are the options passed to the program.


--- someone will, no doubt, correct me

Really read the documentation. Squid is powerful and subtle.
Read through the FAQ in squid-cache.org, read their guides.
Read the book.

Last edited by Simon Bridge; 06-01-2009 at 11:16 AM.
 
Old 06-02-2009, 02:05 AM   #5
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 155

Original Poster
Rep: Reputation: 18
Thank You Simon, I read links you posted for me before, and it dont explain to me my question. For example TTL=1 doesnt mean Ill have to reauthenticate every second, as you said... That is the problem cannot figure out how EXACTLY works.
 
Old 06-02-2009, 05:48 AM   #6
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
To find out how something works exactly - read the source code.
Everything else is approximation.

The documentation does not go into great detail about what happens with everything right away. It will take longer than a couple of nights reading - you have to study.

Is there a problem? Is the proxy doing what you expect?
 
Old 06-02-2009, 05:49 AM   #7
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 155

Original Poster
Rep: Reputation: 18
Yes it works , but I just wanted to know what will happen if I change TTL . . .
 
Old 06-02-2009, 05:59 AM   #8
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Try it and see
 
Old 06-02-2009, 07:00 AM   #9
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
You problem is you are treating things individually here. This whole line:
Quote:
external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %SRC /usr/local/bin/squid_session -t 300
is a compination of several directives and its meaning is derived jointly by all of these directives/options.
here you are defining your own external acl with a given name 'session'
'session' invokes a command/program called 'squid_session' found in /usr/local/bin
what does squid-session do?
squid_session is a little program which keeps track of the sessions (possibly written in perl)
what for?
Usual sys admins would want to redirect their users every time (or once a day) to internet to a company policy page. (or disclaimer, tell them that some info is being logged etc)
They do this by checking for sessions, Every new session is redirected to that page and if the users retry or refresh, they can then browse their required page. Whilist their session is not expired, they can continue to browse without being redirected to the policy page each time, But when the session expires, they will be redirected again to the policy page when they try to hit a website.
So what about the ttls?
When you call squid_session program, you give it options
Quote:
ttl=300 negative_ttl=0 children=1 concurrency=200
ttl is Time To Live (TTL) in seconds for cached results (defaults to 3600 for 1 hour) and it tells squid_session how long the session should be, before a user's request can be redirected (in your case 300 seconds). Increasing it eg. to 3600, means users sessions will expire evry hour, and they will be redirected to the policy page on their first hit, i.e. they will see it only once and then can browse, refresh without being redirected for the next 60 mins.
if you lower it, everytime you browse you will be redirected (more frequently). If its 1, IF you refresh you will quickly go back to that policy page even on all subsequent refreshes, BUT if you dont refresh, you wont see the effect.
negative_ttl is TTL for cached negative lookups (default same as ttl)
You will need to use a very small negative_ttl eg 1, but I highly recommend 0 in this case, so yours is ok.

concurrency is the concurrency level per process (for each squid process, how many (max)requests to handle at a time). Use 0 for old style helpers who can only process a single request at a time.

Last edited by chitambira; 06-02-2009 at 07:07 AM.
 
Old 06-03-2009, 01:12 AM   #10
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 155

Original Poster
Rep: Reputation: 18
Thank You chitambira, it is almost clear to me just one more thing, squid_session -t 300, what about that time.

when TTL is 300 then we call session and session tells time is over 300 so it means we wait 300+300 ?
 
Old 06-03-2009, 05:48 AM   #11
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
the -t option is internal to the squid_session script that you are running. If you show me the script i can be able to tell you what it does. It might actually be duplicating the TTL variable.
 
Old 06-03-2009, 06:29 AM   #12
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 155

Original Poster
Rep: Reputation: 18
Quote:
external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %SRC /usr/local/bin/squid_session -t 300
acl session external session
http_access deny !session
deny_info prviput session
This is the script, I use it for disclaimer page before surfing the web
 
Old 06-03-2009, 09:58 AM   #13
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
the script that i wanted was:
Quote:
# cat /usr/local/bin/squid_session
 
Old 06-04-2009, 01:39 AM   #14
markotitel
Member
 
Registered: Feb 2009
Location: Titel - Serbia
Posts: 155

Original Poster
Rep: Reputation: 18
When I 'CAT' that file just bunch of strange signs shows up. Thank you for your time, I will fiddke a little bit and when I know exactly what it does Ill tell you .
 
Old 06-04-2009, 03:34 AM   #15
chitambira
Member
 
Registered: Oct 2008
Location: Fife
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 49
its a binary, so you would need the manual from the package that installed it, but any way, I guest it works just as I have explained. Try to remove the TTL=300, and run it, you should see no difference if I am correct.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
squid conf: squid failed when I type insert redirect_program /usr/bin/squidguard laxmantsharma Linux - Software 1 02-24-2009 06:02 AM
squid! external_acl_type problem haxpak Linux - Server 4 01-14-2009 09:13 AM
Squid 2.6 Reverse Proxy from Squid(3128) to OrginServer(80) Not working rraj Linux - Server 0 06-06-2008 02:29 PM
squid conf: squid failed when I type insert redirect_program /usr/bin/squidguard Niceman2005 Linux - Software 1 11-24-2004 02:29 PM
Kernel 2.6.2 options question - LOCKED options ? tvojvodi Linux - General 0 02-17-2004 04:23 AM


All times are GMT -5. The time now is 03:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration