Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation on limiting squid access to certain stratum 1s #223

Open
wants to merge 1 commit into
base: latest
Choose a base branch
from
Open

Add documentation on limiting squid access to certain stratum 1s #223

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions cpt-squid.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Setting up a Local Squid Proxy
==============================

For clusters of nodes with CernVM-FS clients, we strongly recommend
For clusters of nodes with CernVM-FS clients, we strongly recommend
setting up two or more `Squid forward proxy <http://www.squid-
cache.org>`_ servers as well. The forward proxies will reduce the
latency for the local worker nodes, which is critical for cold cache
Expand Down Expand Up @@ -60,11 +60,19 @@ something like this:

acl localnet src A.B.C.D/NN

If you instead want to limit the destinations to major cvmfs Stratum 1s,
it is better to use the list built in to
If you instead want to limit the destinations to major WLCG cvmfs Stratum 1s,
it is best to use the list built in to
`Frontier Squid <https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid#Restricting_the_destination>`_
because the list is sometimes updated with new releases.

For manually limiting the destinations, use a configuration like

::

acl cvmfs dst <a stratum 1 host name>
acl cvmfs dst <another stratum 1 host name>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this works, seems like you can't redefine an ACL with same name.

I got an error like this (in output of sudo systemctl status squid.service):

FATAL: Bungled /etc/squid/squid.conf line 8: acl stratum_ones src <PRIVATE_STRATUM1_IP>

(where <PRIVATE_STRATUM1_IP> was an actual IP address, with < >)

You can put domains and IPs on one single line though, like:

acl stratum_ones dstdomain .eessi.science <PRIVATE_STRATUM1_IP>

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps newer squids changes the config syntax... but in your example, it's a src ACL and not a dst ACL. Could this be the problem?

Comment on lines +72 to +73
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend instead using dstdom_regex because it does a string match instead of looking up the names in the DNS and caching them. That makes it able to tolerate chages in IP addresses of the destination name without having to reload squid. So the example would be:

acl cvmfshost dstdom_regex ^(a\.stratum1\.host|another\.stratum1\.host)$

I'm not sure if there can be mutiple regexes for the same name, I haven't tried it. Probably there could be.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe a better example would be since those two are in the same "domain":

acl cvmfshost dstdom_regex ^(a|another)\.stratum1\.host)$

http_access allow cvmfs

The Squid configuration can be verified by ``squid -k parse``. Before
the first service start, the cache space on the hard disk needs to be
prepared by ``squid -z``. In order to make enough file descriptors
Expand Down
Loading