Diary of a geek

August 2007
Mon Tue Wed Thu Fri Sat Sun

Andrew Pollock


Other people's blogs


RSS feed

Contact me

JavaScript required

Monday, 06 August 2007

Squid 2.6 redirector API change pain

So it seems that Squid changed its redirector API with 2.6. This pissed me off no end once I got to the bottom of a problem related to it at work last week.

Squid's had redirector functionality since, oh, last century, and it's a really handy feature, if you want to intercept URLs that Squid's handling, and change them to something else. I've used it in a past life at an ISP to force people to use a local mirror for various things, regardless of where they think they want to go.

So for the longest time, the API has been documented that an external program, which Squid will attach to the stdin and stdout of, will receive on stdin four words on a line, pertaining to the URL being requested: the IP address/FQDN of the client requesting it, the username of the user, if they've authenticated to the cache, and the HTTP method being used.

All good. So we had an in-house redirector script, which used a regex (^(\S+) \S+ \S+ \S+)$) to determine if it should apply any logic to the URL at all, or just output a newline, meaning no redirection should occur.

So along comes Squid 2.6, which changes that API. It now passes in five things on stdin. The changelog has an innocuous "Added to the redirectors interface the support for SSL client certificate" entry, so I presume on a good day, that's what is passed in as the fifth word instead of a hyphen.

Anyway, our redirector script started not rewriting anything at all, which made some other stuff break spectacularly. It was most fun in one location, where we had four proxy servers behind a load balancer, and two were running Squid 2.5 and two were running Squid 2.6. Yay for non-deterministic behaviour.

So once I'd tracked down the problem, I swore a lot, and changed the regex to be ^(\S+) \S+ \S+ \S+( \S+)?$ and proceeded to rant at anyone and everyone within earshot on how messed up this whole situation was.

The thing that is irritating me the most is that this seems to have been a fairly poorly communicated change, as best I can determine. It happened between Squid.2.6.STABLE1 and Squid.2.6.STABLE2 (hmm, stable?). I mean, the FAQ hasn't even been updated. This clearly caught out other projects like jesred that provide generic extensible Squid redirectors, looking at #381984. I wonder if SquidGuard in Debian Etch is busted?

So, whilst Squid 2.6 (the release that changed this behaviour anyway) is just over 12 months old, if you haven't upgraded yet, and you have custom redirectors, consider this rant a head's up.

[17:11] [tech] [permalink]