[squid-users] Policy with multiple ACL calls
Alex Rousskov
rousskov at measurement-factory.com
Thu Mar 19 14:59:41 UTC 2026
On 2026-03-19 09:20, Andrey K wrote:
> Hello,
>
> I'd be curious to know, is the dstdomain ACL evaluated once per
> transaction or every time it occurs in the policy?
In general, the short answer to your question is "neither".
An ACL named "x" is evaluated every time Squid reaches ACL name "x"
while evaluating an ACL-driven directive rule.
Squid may use the same directive for the same transaction multiple
times. For example, ssl_bump may be used three times. Most directives
are used zero or one time per transaction though.
directiveA allow x y z
directiveA deny !x
directiveA allow all
directiveA allow w
For example, in the above configuration, ACL named "x" may be evaluated
for a given transaction:
* zero times if that transaction never uses directiveA
* one time if it x, y, and z match and the transaction uses directiveA
only once
* two times if it x, y, or z do not match and the transaction uses
directiveA only once
* more times in some other cases
Note that ACL name "w" is not evaluated at all in the above example
unless it is reached in some other directiveB that this transaction uses.
> For example, in the following simplified policy, will the Squid go
> through the long list of bank-sites once or six times?
>
> acl bank-sites dstdomain bank-sites.txt
> acl user1 proxy_auth user1
> acl user2 proxy_auth user2
> acl user3 proxy_auth user3
>
> http_access allow user1 bank-sites
> http_access allow user2 bank-sites
> http_access deny user3 bank-sites
>
> ssl_bump splice user1 bank-sites
> ssl_bump bump user2 bank-sites
> ssl_bump terminate user3 bank-sites
I will simplify to reduce noise:
> http_access allow user1 bank-sites
> ssl_bump splice user1 bank-sites
For a user1 transaction, Squid will usually evaluate bank-sites twice,
once during http_access check and once during step1 ssl_bump check.
For a non-user1 transaction, Squid will not evaluate bank-sites.
> I believe that the ACL is calculated only once and the result is reused.
No, there is no "caching" or "reuse" of ACL evaluation results.
There is "caching" of external ACL helper responses, but that is a
somewhat different matter: An external ACL is still evaluated as
described in the beginning of this email, regardless of whether that
evaluation uses a cached helper response.
> How do you think, would it be more efficient to use annotations, like in
> the following example?
>
> acl bank-sites dstdomain bank-sites.txt
> acl user1 proxy_auth user1
> acl user2 proxy_auth user2
> acl user3 proxy_auth user3
>
> acl annotate_banks annotate_client categories+=bank
> acl is_bank note categories bank
>
> # evaluate bank-sites just once and annotate a connection
> http_access deny bank-sites annotate_banks !all
>
> http_access allow user1 is_bank
> http_access allow user2 is_bank
> http_access deny user3 is_bank
>
> ssl_bump splice user1 is_bank
> ssl_bump bump user2 is_bank
> ssl_bump terminate user3 is_bank
Yes, the above should be more efficient, assuming "is_bank" evaluates
much faster than "bank-sites" (because "note" ACLs are quite cheap and
ACLs with address conversions and a very long list of parameters are
usually expensive).
However, please note that, in many use cases, your optimized example is
not equivalent in terms of allow/deny decisions to your non-optimized
example because the former makes the "is a bank" decision once per
connection while the latter makes that decision for each request. If you
want them to be equivalent, use annotate_transaction instead of
annotate_client.
HTH,
Alex.
HTH,
Alex.
More information about the squid-users
mailing list