cache_peer selection based on username

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

cache_peer selection based on username

Roeeklinger60
Hey,

I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it.

so far I have:
external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh
acl whitelisted_users external user_whitelist_external
http_access allow whitelisted_users

and:
nonhierarchical_direct off
never_direct allow all
cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
cache_peer_access proxy1 allow whitelisted_users
cache_peer_access proxy0.2 deny all
cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
cache_peer_access proxy2 allow whitelisted_users
cache_peer_access proxy0.3 deny all

ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way?

What would be the best way to accomplish this?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Eliezer Croitoru-3

You should use a note acl for that.

When you return the whitelisted client you should add a note which can be 1-100 or any other static string.

 

It works just out of the box.

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of roee klinger
Sent: Sunday, January 10, 2021 5:33 PM
To: [hidden email]
Subject: [squid-users] cache_peer selection based on username

 

Hey,

 

I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it.

 

so far I have:

external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh

acl whitelisted_users external user_whitelist_external

http_access allow whitelisted_users

 

and:

nonhierarchical_direct off

never_direct allow all

cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1

cache_peer_access proxy1 allow whitelisted_users

cache_peer_access proxy0.2 deny all

cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2

cache_peer_access proxy2 allow whitelisted_users

cache_peer_access proxy0.3 deny all

 

ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way?

 

What would be the best way to accomplish this?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Roeeklinger60
So basically I return a note with the “OK” response, which can be any string, for example “100”.

Then, I can use “100” as a normal ACL in squid.conf?

Thanks



On Jan 10, 2021, at 17:36, Eliezer Croitoru <[hidden email]> wrote:



You should use a note acl for that.

When you return the whitelisted client you should add a note which can be 1-100 or any other static string.

 

It works just out of the box.

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of roee klinger
Sent: Sunday, January 10, 2021 5:33 PM
To: [hidden email]
Subject: [squid-users] cache_peer selection based on username

 

Hey,

 

I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it.

 

so far I have:

external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh

acl whitelisted_users external user_whitelist_external

http_access allow whitelisted_users

 

and:

nonhierarchical_direct off

never_direct allow all

cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1

cache_peer_access proxy1 allow whitelisted_users

cache_peer_access proxy0.2 deny all

cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2

cache_peer_access proxy2 allow whitelisted_users

cache_peer_access proxy0.3 deny all

 

ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way?

 

What would be the best way to accomplish this?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Roeeklinger60
In reply to this post by Eliezer Croitoru-3
Thanks, Eliezer, I was able to get it working.
Here is an example in case anybody runs into this in the future:
acl mynote1 note mykey note1
acl mynote2 note mykey note2

external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh
acl whitelisted_users external user_whitelist_external
http_access allow whitelisted_users

nonhierarchical_direct off
never_direct allow all
cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
cache_peer_access proxy1 allow mynote1
cache_peer_access proxy0.2 deny all
cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
cache_peer_access proxy2 allow mynote2
cache_peer_access proxy0.3 deny all

Then, on the external helper, I return one of these two:
OK mykey=note1
OK mykey=note2

On Sun, Jan 10, 2021 at 5:36 PM Eliezer Croitoru <[hidden email]> wrote:

You should use a note acl for that.

When you return the whitelisted client you should add a note which can be 1-100 or any other static string.

 

It works just out of the box.

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of roee klinger
Sent: Sunday, January 10, 2021 5:33 PM
To: [hidden email]
Subject: [squid-users] cache_peer selection based on username

 

Hey,

 

I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it.

 

so far I have:

external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh

acl whitelisted_users external user_whitelist_external

http_access allow whitelisted_users

 

and:

nonhierarchical_direct off

never_direct allow all

cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1

cache_peer_access proxy1 allow whitelisted_users

cache_peer_access proxy0.2 deny all

cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2

cache_peer_access proxy2 allow whitelisted_users

cache_peer_access proxy0.3 deny all

 

ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way?

 

What would be the best way to accomplish this?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Eliezer Croitoru-3
In reply to this post by Roeeklinger60
Squid provides the acl login or username.

should have maybe ident.
you will need to include a usernames file which contains them.

I believe a note in a helper should do that better.

Eliezer

On Sun, Jan 10, 2021, 17:33 roee klinger <[hidden email]> wrote:
Hey,

I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it.

so far I have:
external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh
acl whitelisted_users external user_whitelist_external
http_access allow whitelisted_users

and:
nonhierarchical_direct off
never_direct allow all
cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
cache_peer_access proxy1 allow whitelisted_users
cache_peer_access proxy0.2 deny all
cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
cache_peer_access proxy2 allow whitelisted_users
cache_peer_access proxy0.3 deny all

ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way?

What would be the best way to accomplish this?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Eliezer Croitoru-3
In reply to this post by Roeeklinger60

In the next example I wrote a whole setup:

https://github.com/elico/vagrant-squid-outgoing-addresses

 

Specifically it would look something like:

https://github.com/elico/vagrant-squid-outgoing-addresses/blob/master/shared/note.rb#L82

 

it’s as a line like:

echo “OK x_note=100 ip=100”

 

The in squid use an acl like this:

https://github.com/elico/vagrant-squid-outgoing-addresses/blob/9221a73394ced582fec84bc42abfaae3c9a364b3/shared/collect-32-subnet-addresses.rb#L17

 

ie:

echo "acl #{ip_map[key]} note ip #{acl_name.match(/([0-9]+)/)[1]}" |tee -a /etc/squid/conf.d/acl-to-ip.conf

 

It’s better to run the lab and see the content of the conf files to understand it.

You will need VirtualBox and Vagrant to power up this lab.

 

Later I might be able to record a video of this but not sure yet about this.

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: roee klinger <[hidden email]>
Sent: Sunday, January 10, 2021 5:51 PM
To: [hidden email]
Cc: Eliezer Croitoru <[hidden email]>
Subject: Re: [squid-users] cache_peer selection based on username

 

So basically I return a note with the “OK” response, which can be any string, for example “100”.

 

Then, I can use “100” as a normal ACL in squid.conf?

 

Thanks

 

 



On Jan 10, 2021, at 17:36, Eliezer Croitoru <[hidden email]> wrote:



You should use a note acl for that.

When you return the whitelisted client you should add a note which can be 1-100 or any other static string.

 

It works just out of the box.

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of roee klinger
Sent: Sunday, January 10, 2021 5:33 PM
To: [hidden email]
Subject: [squid-users] cache_peer selection based on username

 

Hey,

 

I am trying to figure out the best way to select cache peers based on the client username, I have read extensively but I cannot figure out the best way to do it.

 

so far I have:

external_acl_type user_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh

acl whitelisted_users external user_whitelist_external

http_access allow whitelisted_users

 

and:

nonhierarchical_direct off

never_direct allow all

cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1

cache_peer_access proxy1 allow whitelisted_users

cache_peer_access proxy0.2 deny all

cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2

cache_peer_access proxy2 allow whitelisted_users

cache_peer_access proxy0.3 deny all

 

ideally, script.sh checks if the request is authinticated and if it is, it selects the cache peer to use, is there some kind of way to achieve this with "Defined keywords" to select which cache peer to use or am I looking at this the wrong way?

 

What would be the best way to accomplish this?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Amos Jeffries
Administrator
In reply to this post by Roeeklinger60
On 11/01/21 8:06 am, roee klinger wrote:
> Thanks, Eliezer, I was able to get it working.
> Here is an example in case anybody runs into this in the future:
>
>     acl mynote1 note mykey note1
>     acl mynote2 note mykey note2
>

FYI, key names ending with "_" character are reserved for custom keys
like this.


>     external_acl_type user_whitelist_external children-max=20 ttl=300
>     %>lp %>a script.sh

NP: this does not check for users or authenticated traffic at all. It is
only using the client-IP and Squid receiving port number.

To meet the earlier stated requirement about authenticated traffic the
helper format should contain %un. The lines below should follow the
http_access rules doing authentication checks.


You could also have the helper doing authentication send the notes to
Squid. eg as a group name.



>     acl whitelisted_users external user_whitelist_external
>     http_access allow whitelisted_users
>
>     nonhierarchical_direct off
>     never_direct allow all
>     cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
>     cache_peer_access proxy1 allow mynote1
>     cache_peer_access proxy0.2 deny all
>     cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
>     cache_peer_access proxy2 allow mynote2
>     cache_peer_access proxy0.3 deny all
>

NP: there is no peer named "proxy0.2" or "proxy0.3" so those deny lines
are not doing anything. The only reason this config does what it appears
at first glance to do, is that the inverted default for the prox1 and
proxy2 peer access rules default is deny.


>
> Then, on the external helper, I return one of these two:
>
>     OK mykey=note1
>     OK mykey=note2
>
>


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Eliezer Croitoru-3
Hey Amos,

One thing that the auth helper cannot do with this note is the ttl.
The auth ttl is different then the request IP binding/routing.
With separated auth and external_acl helper you can change/apply a note/rule/acl in a lower ttl
ie 3 seconds which can be critical to some applications.
If one ip goes down for any reason you can change the routing.
I would have expected for the note to stick if the ttl is either 0 or 1 for the relevant session.
This so we would rely on the helper to be "live" helper per request.

I know that 0-3 is almost the same like 0-5 but some prefer to use 0-1.

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Tuesday, January 12, 2021 3:46 AM
To: [hidden email]
Subject: Re: [squid-users] cache_peer selection based on username

On 11/01/21 8:06 am, roee klinger wrote:
> Thanks, Eliezer, I was able to get it working.
> Here is an example in case anybody runs into this in the future:
>
>     acl mynote1 note mykey note1
>     acl mynote2 note mykey note2
>

FYI, key names ending with "_" character are reserved for custom keys
like this.


>     external_acl_type user_whitelist_external children-max=20 ttl=300
>     %>lp %>a script.sh

NP: this does not check for users or authenticated traffic at all. It is
only using the client-IP and Squid receiving port number.

To meet the earlier stated requirement about authenticated traffic the
helper format should contain %un. The lines below should follow the
http_access rules doing authentication checks.


You could also have the helper doing authentication send the notes to
Squid. eg as a group name.



>     acl whitelisted_users external user_whitelist_external
>     http_access allow whitelisted_users
>
>     nonhierarchical_direct off
>     never_direct allow all
>     cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
>     cache_peer_access proxy1 allow mynote1
>     cache_peer_access proxy0.2 deny all
>     cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
>     cache_peer_access proxy2 allow mynote2
>     cache_peer_access proxy0.3 deny all
>

NP: there is no peer named "proxy0.2" or "proxy0.3" so those deny lines
are not doing anything. The only reason this config does what it appears
at first glance to do, is that the inverted default for the prox1 and
proxy2 peer access rules default is deny.


>
> Then, on the external helper, I return one of these two:
>
>     OK mykey=note1
>     OK mykey=note2
>
>


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Amos Jeffries
Administrator
On 12/01/21 9:17 pm, Eliezer Croitoru wrote:
> Hey Amos,
>
> One thing that the auth helper cannot do with this note is the ttl.
> The auth ttl is different then the request IP binding/routing.

That can be added in via the the key_extras detail.

Though I am still worried that the OP *only* asked about routing by
"username" then their apparently working solution has nothing to do with
users or usernames at all.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: cache_peer selection based on username

Roeeklinger60
Hey Amos,
Thanks, I fixed the keys with the proper "_" character.
Seems like I was in a hurry and did some config mistakes, "proxy0.2" and "proxy0.3" are supposed to be "proxy1" and "proxy2".
Regarding the helper, I also forgot to mention, I am using 2 helpers, one for IP whitelisting and one for username authentication,
in the example I provided I am using IP whitelisting, the naming is wrong, please see the fixed config.

acl mynote1 note mykey_ note1
acl mynote2 note mykey_ note2

external_acl_type IP_whitelist_external children-max=20 ttl=300 %>lp %>a script.sh
acl whitelisted_IP external IP_whitelist_external
http_access allow whitelisted_IP

nonhierarchical_direct off
never_direct allow all
cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
cache_peer_access proxy1 allow mynote1
cache_peer_access proxy1 deny all
cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
cache_peer_access proxy2 allow mynote2
cache_peer_access proxy2 deny all

Then, on the external helper, I return one of these two:

OK mykey=note1
OK mykey=note2

For the authentication helper, I did not look into it but contrary to my belief it seems auth_param does not support defined keywords,
so I guess I will have to follow your advice by adding %un to my user_whitelist_external helper, is there any way to do this with auth_param?
what exactly do you mean to send it as a group name?

Roee.



On Tue, Jan 12, 2021 at 11:59 AM Amos Jeffries <[hidden email]> wrote:
On 12/01/21 9:17 pm, Eliezer Croitoru wrote:
> Hey Amos,
>
> One thing that the auth helper cannot do with this note is the ttl.
> The auth ttl is different then the request IP binding/routing.

That can be added in via the the key_extras detail.

Though I am still worried that the OP *only* asked about routing by
"username" then their apparently working solution has nothing to do with
users or usernames at all.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users