How to Reload Squid ACL Rules Dynamically Without Restarting Squid Proxy Server


2 views

When managing a Squid proxy server, administrators often need to update ACL (Access Control List) rules frequently, especially when implementing bandwidth restrictions or access policies. The traditional approach requires a full service restart:

sudo systemctl restart squid

This becomes problematic in production environments where continuous uptime is crucial. Let's explore better solutions.

Squid actually provides a way to reload configuration changes without a full restart using the squid -k reconfigure command. For your specific case with the exceeded_users ACL, you can use:

sudo squid -k reconfigure

This sends a SIGHUP signal to Squid, causing it to:

  • Re-read the configuration file
  • Maintain existing connections
  • Apply new ACL rules immediately

For automatic reloading when your /etc/squid/users/exceeded file changes, you can implement an inotify watcher. Here's a Python script example:

#!/usr/bin/env python3
import pyinotify
import subprocess

class EventHandler(pyinotify.ProcessEvent):
    def process_IN_MODIFY(self, event):
        subprocess.run(['squid', '-k', 'reconfigure'])

wm = pyinotify.WatchManager()
handler = EventHandler()
notifier = pyinotify.Notifier(wm, handler)
wdd = wm.add_watch('/etc/squid/users/exceeded', pyinotify.IN_MODIFY)
notifier.loop()

For more dynamic control, consider using an external ACL helper script. This allows real-time decisions without file modifications:

acl exceeded_users external /usr/lib/squid/ext_acl_bandwidth
http_access deny exceeded_users all_dst

Here's a sample helper script (/usr/lib/squid/ext_acl_bandwidth):

#!/bin/bash
while read -r line; do
    username=$(echo "$line" | awk '{print $1}')
    if grep -q "^${username}$" /etc/squid/users/exceeded; then
        echo "OK"
    else
        echo "ERR"
    fi
done

When implementing dynamic ACL solutions:

  • For file-based ACLs (like your original approach), squid -k reconfigure is efficient for occasional changes
  • External ACL helpers add some overhead but provide real-time control
  • Monitor Squid's cache manager (squidclient mgr:info) to assess performance impact

After implementing changes, verify they're working with:

tail -f /var/log/squid/access.log | grep 'TCP_DENIED'
squidclient mgr:config

This helps confirm your ACL changes are effective without service interruption.

When managing a Squid proxy server in a production environment, one common pain point is the requirement to restart the service for ACL (Access Control List) changes to take effect. This becomes particularly problematic when implementing dynamic access control systems, such as bandwidth limitation enforcement where users need to be added to deny lists in real-time.

Squid actually provides a graceful way to reload its configuration without a full restart:

squid -k reconfigure

This command sends a SIGHUP signal to the running Squid process, triggering a configuration reload. The main advantages are:

  • Zero downtime for existing connections
  • Preservation of cache contents
  • Immediate application of new ACL rules

For a complete solution, you'll want to implement an automated workflow. Here's how we can modify the original example:

# Example script: update_exceeded_users.sh
#!/bin/bash

# 1. Add user to exceeded list
echo "$1" >> /etc/squid/users/exceeded

# 2. Remove duplicates and sort
sort -u /etc/squid/users/exceeded -o /etc/squid/users/exceeded

# 3. Reload Squid configuration
/usr/sbin/squid -k reconfigure

For even more dynamic control, consider using Squid's external ACL helper mechanism:

acl exceeded_users external exceed_check
http_access deny exceeded_users all_dst

# In squid.conf
external_acl_type exceed_check %LOGIN /usr/lib/squid/exceed_check.py

Here's a Python example for the external ACL helper:

#!/usr/bin/env python3
# exceed_check.py
import sys

def check_user(username):
    with open('/etc/squid/users/exceeded') as f:
        return username.strip() in [line.strip() for line in f]

while True:
    line = sys.stdin.readline()
    if not line:
        break
    username = line.split()[0]
    print("OK" if not check_user(username) else "ERR")

When implementing these solutions, keep in mind:

  • Frequent reconfigure operations may impact performance
  • External ACL helpers add latency to each request
  • For high-traffic servers, consider a caching layer for the ACL checks

For some scenarios, you can leverage Squid's refresh_pattern directive to dynamically control access:

refresh_pattern -i \.mp4$ 1440 20% 10080 override-expire override-lastmod reload-into-ims ignore-no-store ignore-private
refresh_pattern -i \.mp4$ 0 0% 0 override-expire override-lastmod reload-into-ims ignore-no-store ignore-private user=exceeded