Re: ACLs - a seriously weird thing

Hi,

* The ACL syntax may have been questionable (I have had netmasks suggested
to me already) but it certainly worked.

* I don't use DNSServers - all traffic (except SSL) is pointed to an
upstream parent on a DMZ. Other identically spec'd boxes (without the
shonky ACL) also use that server as a parent, without problems. I
eliminated the upstream server from the enquiries very early on. This is
one of the most confusing things - unless a CONNECT method is used, all my
cache has to do is forward the request to another Squid box. It managed it
for nearly all traffic, except the .uk domains, which sat around for
roughly 60 seconds (no log entries; no clues) and _then_ got forwarded. But
only a few at a time; if "netstat" showed five connections between the
client and Squid, then after a minute I got five objects and had to sit and
wait for the next few.

* The 20.20.20.20 machine is on a "csc.com" domain. (NB 20.20.20.20 is not
the _real_ IP address of the machine in question; only the first octet is
genuine).

I'm still baffled, but I'll keep you posted if I find anything.

Rgds

Richard Stagg

jlarmour@cygnus.co.uk on 17/02/99 20:14:22

To: Richard Stagg/TMU/CSC
cc: squid-users@ircache.net
Subject: Re: ACLs - a seriously weird thing

rstagg@csc.com wrote:
>
> acl int_ip_host dst 20.20.20.20
> always_direct allow int_ip_host
>
> This fixed the problem. Then the performance started to suffer. The cache
> became intermittent, and it took me _ages_ to figure out what was going
on.
>
> You'll love this: If I browsed sites ending in .com, .net, .se, .org...
etc
> etc, in fact most sites, they were fine. If I browsed a site ending in
.uk,
> the cache sat and thought about it for a full minute before giving me a
> couple of objects and then going back into catatonia. I removed the above
> two lines from squid.conf, and the problem vanished. I tested and
retested
> this, on the grounds that it's clearly nonsense, but the fact is apparent
> that the lines above break the cache, _only_ on *.uk sites.
>
> I'm totally confused by this. Is this a bug? Have I mucked up? Does
anyone
> have any ideas?
FWIW your acl line syntax isn't quite right, I believe. I don't know how
that could make the symptoms you describe though. Your cache.log didn't say
anything about running out of dnsservers, did it? Was the real name of the
internal host (and the squid too?) something that ended in .uk? Just
wondering for more info. I'm running squid-2.1P2 here so if you can confirm
that, I can try to reproduce it.
Jifl

--
Cygnus Solutions, 35 Cambridge Place, Cambridge, UK.  Tel: +44 (1223)
728762
"Women marry hoping their husbands will change, men||Home e-mail: jifl @
marry hoping their wives never do. Both are rare." ||
jifvik.demon.co.uk
Help fight spam! http://spam.abuse.net/  These opinions are all my own
fault