squid icon indicating copy to clipboard operation
squid copied to clipboard

Published 20 hours ago verified publisher icon squid-cache

Cleanup proxy_auth ACL results cache

Open yadij opened this issue 3 years ago • 6 comments

Replace the deprecated dlink_list holding proxy_auth results with a ClpMap.

Limit memory usage to 1KB per username. dlink was allowing unlimited ACL results. With ClpMap only ~16 ACLs results are cached at a time - exact number depends on ACL name length.

yadij avatar Jul 27 '20 12:07 yadij

FTR: after seeing what these caches store I am not sure we need them at all. It may be better to cache helper lookup results and have the proxy_auth use that cache instead.

That would eliminate the need to coordinate this extra TTL expiry with changes to auth credentials state in the backend auth system. This cache is particularly tricky to ensure HIT results are accurate as it currently has no direct feed of info from either the helper or squid.conf to determine the proper expiry - for now we invalidate ACL results when credentials become stale.

yadij avatar Jul 27 '20 13:07 yadij

This supersedes PR #590

yadij avatar Jul 27 '20 13:07 yadij

@rousskov, I am bumping this back to reviewer for a re-check. Since the name type change is being done by PR #712 there appear to be no outstanding issues blocking merge of this change.

yadij avatar Jan 08 '21 00:01 yadij

Any chance to move this forward? As it supersedes PR#590 I'd like to pick which way to go: do we push this and abandon PR#590 or do we press ahead with this and abandon the other one? Let's make a call in the next few days please, so not to waste the effort

kinkie avatar May 20 '21 09:05 kinkie

Any chance to move this forward?

I was not aware or forgot that this is on my side because my review was not requested using GitHub "request review" mechanism. I fixed that now and will review in the foreseeable future.

rousskov avatar May 20 '21 13:05 rousskov

Thanks. I am going over old and forgotten PRs to either land them or abandon them.

On Thu, May 20, 2021 at 3:26 PM Alex Rousskov @.***> wrote:

Any chance to move this forward?

I was not aware or forgot that this is on my side because my review was not requested. I fixed that now and will review in the foreseeable future.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/squid-cache/squid/pull/697#issuecomment-845119576, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHPVDHEOJ34OECXVWRQJCDTOUEYNANCNFSM4PIXQYJQ .

-- Francesco

kinkie avatar May 20 '21 13:05 kinkie