[squid-dev] Patches proposal

Amos Jeffries squid3 at treenet.co.nz
Wed Feb 17 17:29:20 UTC 2016


On 18/02/2016 5:59 a.m., William Lima wrote:
> Alex,
> 
> I'll implement according to your instructions.
> 
> William
> 
> ----- Original Message -----
> From: "Alex Rousskov" <rousskov at measurement-factory.com>
> To: squid-dev at lists.squid-cache.org
> Cc: "William Lima" <william.lima at hscbrasil.com.br>
> Sent: Friday, January 15, 2016 8:31:40 PM
> Subject: Re: [squid-dev] Patches proposal
> 
> On 01/15/2016 11:25 AM, William Lima wrote:
> 
>> I have two patches there might be useful, 
> 
> Thank you for sharing this useful code!
> 
> 
>> one of them (Redis) needs
>> some polishing if accepted. One adds the source (authenticated user
>> or IP) parameter for Cert Validation and 
> 
> Supplying metadata to Squid helpers should be done using the
> configurable "extras" concept instead of hard-coding an ever-growing
> list of often-unused-by-others parameters. I believe that principle
> should apply to certificate validation [and generation] helpers as well.
> 
> Please see url_rewrite_extras and store_id_extras for implementation
> examples.
> 
> 
>> the other uses Redis for certificate caches.
> 
> A polished version of this would be a very welcomed addition for busy
> bumping proxies IMO!
> 
> AFAICT, this polishing would require generalizing Ssl::CertificateDb
> into a base class providing open/get/put/close API to ssl_crtd and
> containing any code common to the supported db flavors. Two
> Ssl::CertificateDb kids would then cover the two known flavors:
> 
> * OpenSslDb: The current clunky on-disk OpenSSL cache (available if
> ssl_crtd was built with OpenSSL headers/library);
> 
> * RedisDb: A shiny Redis database client (available if ssl_crtd was
> built with Redis headers/library).
> 
> The selection between the two kids will be determined, in part, by a
> command line option.
> 


FYI: the model we have for helpers is that each backend type is
represented by a different helper binary that end-users configure to be
used (or not).
The OpenSSL local filesystem one is now called "security_file_certgen".
A Redis DB helper would be "security_redis_certgen".

Being able to build or omit helpers based on what the final environment
contains is important for our redistributors and portability.

Amos


More information about the squid-dev mailing list