Quantcast

squid3 : Really need to use external (slow) acl with peer_cache_access

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

squid3 : Really need to use external (slow) acl with peer_cache_access

hoper

Hi everybody,

I really try to find a answer with google, and within
the archives of this mailing list but couldn't find anything
so... here I am...

I need to select a squid parent based on the login of the
user (and others things). With squid 2.7, I had a configuration
like this one :

-------------------------------------------------------------
cache_peer 169.254.1.1 parent 3128 0 default name=parent1
cache_peer 169.254.1.2 parent 3128 0 default name=parent2
[...] (many parents)

external_acl_type choose_parent ttl=60,children-max=1 %EXT_USER %SRC %LOGIN %ACL /home/user/myhelper.sh
acl p0 external choose_parent

external_acl_type myparent1 ttl=60,children-max=1 %ACL %EXT_USER  /home/user/another_helper
acl p1 external myparent1
external_acl_type myparent2 ttl=60,children-max=1 %ACL %EXT_USER  /home/user/another_helper
acl p2 external myparent2
[...]

cache_peer_access parent1 allow p1
cache_peer_access parent2 allow p2
[...]

cache_peer_access path1 deny all
cache_peer_access path2 deny all
[...]

---------------------------------------------------------------

The idea is to deny all squid parents except the one I want this user
(with this specific IP and so on) to use.

But with squid3, I just have lot's of error in cache.log:

2017/01/25 10:22:16.053 kid1| external_acl.cc(868) aclMatchExternal: myparent1("p1 p1") = lookup needed
2017/01/25 10:22:16.053 kid1| external_acl.cc(871) aclMatchExternal: "p1 p1": queueing a call.
2017/01/25 10:22:16.053 kid1| Checklist.cc(115) goAsync: 0x7fff415cf470 a fast-only directive uses a slow ACL!
2017/01/25 10:22:16.053 kid1| external_acl.cc(873) aclMatchExternal: "p1 p1": no async support!
2017/01/25 10:22:16.053 kid1| external_acl.cc(874) aclMatchExternal: "p1 p1": return -1.

The documentation made it perfectly clear that "cache_peer_acccess" is a "fast ACL" that can only use fast ones...
But I really need to use external "slow" acl. Please, is there a way to do it ?
Again, this was working in 2.7 :(

Thanks you very much.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squid3 : Really need to use external (slow) acl with peer_cache_access

Amos Jeffries
Administrator
On 25/01/2017 10:29 p.m., [hidden email] wrote:

>
> Hi everybody,
>
> I really try to find a answer with google, and within
> the archives of this mailing list but couldn't find anything
> so... here I am...
>
> I need to select a squid parent based on the login of the
> user (and others things). With squid 2.7, I had a configuration
> like this one :
>
> -------------------------------------------------------------
> cache_peer 169.254.1.1 parent 3128 0 default name=parent1
> cache_peer 169.254.1.2 parent 3128 0 default name=parent2
> [...] (many parents)
>
> external_acl_type choose_parent ttl=60,children-max=1 %EXT_USER %SRC %LOGIN %ACL /home/user/myhelper.sh
> acl p0 external choose_parent
>
> external_acl_type myparent1 ttl=60,children-max=1 %ACL %EXT_USER  /home/user/another_helper
> acl p1 external myparent1
> external_acl_type myparent2 ttl=60,children-max=1 %ACL %EXT_USER  /home/user/another_helper
> acl p2 external myparent2
> [...]
>
> cache_peer_access parent1 allow p1
> cache_peer_access parent2 allow p2
> [...]
>
> cache_peer_access path1 deny all
> cache_peer_access path2 deny all
> [...]
>
> ---------------------------------------------------------------
>
> The idea is to deny all squid parents except the one I want this user
> (with this specific IP and so on) to use.
>
> But with squid3, I just have lot's of error in cache.log:
>
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(868) aclMatchExternal: myparent1("p1 p1") = lookup needed
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(871) aclMatchExternal: "p1 p1": queueing a call.
> 2017/01/25 10:22:16.053 kid1| Checklist.cc(115) goAsync: 0x7fff415cf470 a fast-only directive uses a slow ACL!
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(873) aclMatchExternal: "p1 p1": no async support!
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(874) aclMatchExternal: "p1 p1": return -1.
>
> The documentation made it perfectly clear that "cache_peer_acccess" is a "fast ACL" that can only use fast ones...
> But I really need to use external "slow" acl. Please, is there a way to do it ?
> Again, this was working in 2.7 :(


Well, no. 2.7 was just being silent about the situation and guessing
whether you wanted OK/ERR result. Whereas Squid-3 tells you when the
fast-only cannot handle the ACL check results.

What you need to do is perform the external ACL check during one of the
*_access checks that permites slow lookups. eg. http_access.

Then use the 'note' ACL type in your fast-only access controls to check
some annotation that the helper returns to Squid.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...