-   Linux - Server (
-   -   external_acl_type Squid, cannot understand options (

markotitel 05-31-2009 02:48 AM

external_acl_type Squid, cannot understand options
Hi, can someone help me on understanding external_acl_type directive in Squid proxy.

For example what does mean TTL, to be precise I have this ina my squid conf

external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %SRC /usr/local/bin/squid_session -t 300
acl session external session
http_access deny !session
deny_info prviput session

And it work great :), when user tries to surf the net every request isdenied and "welcome page" is displayed after hitting refresh he can use internet.

BUT I don understand what this ACL do :(. TTL=300 NEGATIVE_TTL=0 , what those options do?

I read the manual but cannot figure out . . .

Simon Bridge 05-31-2009 03:15 AM

ACL = access control list, TTL = time to live, NEGATIVE_TTL = negative time to live (like time to live but for failed transactions - how long do you cache the 404 page not found screen?)

Your question suggests that you need to review the basics on how squid works and what it does.
... the first two are basic configuration tutorials - since that seems to be the area of your immediate problem. The last one is a manual which covers the concepts in more detail. While it is possible to get a long way on cut-and-paste, there is no substitute for understanding your tools.

markotitel 06-01-2009 09:34 AM

I have read this couple of times, still it does not explain what options I pasted mean. For example what will happen if I increase TTL value or negatice ttl value?

Simon Bridge 06-01-2009 12:10 PM


I have read this couple of times, still it does not explain what options I pasted mean.
What have you read a couple of times?
Did you go through the links?

It's not supposed to explain the options you posted - you are supposed to read the references I supplied. One of the characteristics of free support is that I get to give you the advise you need instead of what you asked for. What has happened is that your question shows that you need to go back to reviewing the basics. Do that and you'll better understand what the options are.

How about this one:
... the official site has a lot of resources to help your understanding.

Many elements of squids operation have a "time to live" value associated with it. This is usually to prevent loops or bad repeats. Exactly what it does depends on the context. Lets see if I can spell it out for the example above:

... this is defining an external access control list - controlled by a third party program. The rest of the entry says under what conditions it should run and what program to run.

... this is the name of the type

ttl=300 ... how long positive acl results are kept for - 5mins. This means that if authenticate by this list, then revoke the account, you can continue surfing for 5 mins.

negative_ttl=0 ... how long negative results are kept - i.e. not at all. So you can attempt to re-authenticate immediately after a fail.

children=1 ... it can open one child process - probably the list software itself.

concurrency=200 ... up to 200 results kept at the same time(?unsure)

%SRC ... format of the list - there are others.

... this is the program to run

-t 300
... these are the options passed to the program.

--- someone will, no doubt, correct me :)

Really read the documentation. Squid is powerful and subtle.
Read through the FAQ in, read their guides.
Read the book.

markotitel 06-02-2009 03:05 AM

Thank You Simon, I read links you posted for me before, and it dont explain to me my question. For example TTL=1 doesnt mean Ill have to reauthenticate every second, as you said... That is the problem cannot figure out how EXACTLY works.

Simon Bridge 06-02-2009 06:48 AM

To find out how something works exactly - read the source code.
Everything else is approximation.

The documentation does not go into great detail about what happens with everything right away. It will take longer than a couple of nights reading - you have to study.

Is there a problem? Is the proxy doing what you expect?

markotitel 06-02-2009 06:49 AM

Yes it works :), but I just wanted to know what will happen if I change TTL . . .

Simon Bridge 06-02-2009 06:59 AM

Try it and see ;)

chitambira 06-02-2009 08:00 AM

You problem is you are treating things individually here. This whole line:

external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %SRC /usr/local/bin/squid_session -t 300
is a compination of several directives and its meaning is derived jointly by all of these directives/options.
here you are defining your own external acl with a given name 'session'
'session' invokes a command/program called 'squid_session' found in /usr/local/bin
what does squid-session do?
squid_session is a little program which keeps track of the sessions (possibly written in perl)
what for?
Usual sys admins would want to redirect their users every time (or once a day) to internet to a company policy page. (or disclaimer, tell them that some info is being logged etc)
They do this by checking for sessions, Every new session is redirected to that page and if the users retry or refresh, they can then browse their required page. Whilist their session is not expired, they can continue to browse without being redirected to the policy page each time, But when the session expires, they will be redirected again to the policy page when they try to hit a website.
So what about the ttls?
When you call squid_session program, you give it options

ttl=300 negative_ttl=0 children=1 concurrency=200
ttl is Time To Live (TTL) in seconds for cached results (defaults to 3600 for 1 hour) and it tells squid_session how long the session should be, before a user's request can be redirected (in your case 300 seconds). Increasing it eg. to 3600, means users sessions will expire evry hour, and they will be redirected to the policy page on their first hit, i.e. they will see it only once and then can browse, refresh without being redirected for the next 60 mins.
if you lower it, everytime you browse you will be redirected (more frequently). If its 1, IF you refresh you will quickly go back to that policy page even on all subsequent refreshes, BUT if you dont refresh, you wont see the effect.
negative_ttl is TTL for cached negative lookups (default same as ttl)
You will need to use a very small negative_ttl eg 1, but I highly recommend 0 in this case, so yours is ok.

concurrency is the concurrency level per process (for each squid process, how many (max)requests to handle at a time). Use 0 for old style helpers who can only process a single request at a time.

markotitel 06-03-2009 02:12 AM

Thank You chitambira, it is almost clear to me just one more thing, squid_session -t 300, what about that time.

when TTL is 300 then we call session and session tells time is over 300 so it means we wait 300+300 ?

chitambira 06-03-2009 06:48 AM

the -t option is internal to the squid_session script that you are running. If you show me the script i can be able to tell you what it does. It might actually be duplicating the TTL variable.

markotitel 06-03-2009 07:29 AM


external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %SRC /usr/local/bin/squid_session -t 300
acl session external session
http_access deny !session
deny_info prviput session
This is the script, I use it for disclaimer page before surfing the web

chitambira 06-03-2009 10:58 AM

the script that i wanted was:

# cat /usr/local/bin/squid_session

markotitel 06-04-2009 02:39 AM

When I 'CAT' that file just bunch of strange signs shows up. Thank you for your time, I will fiddke a little bit and when I know exactly what it does Ill tell you :) .

chitambira 06-04-2009 04:34 AM

its a binary, so you would need the manual from the package that installed it, but any way, I guest it works just as I have explained. Try to remove the TTL=300, and run it, you should see no difference if I am correct.

All times are GMT -5. The time now is 10:48 AM.