[squid-dev] [PATCH] Fix external_acl problems

Christos Tsantilas christos at chtsanti.net
Thu Jan 28 19:10:24 UTC 2016


Hi all,

After the patch r14351 created the following problems:
  - external_acl requires AccessLogEntry but ALE is not available
    in many cases such as ssl_bump ACLs.
  - The %<cert_subject stopped working because it was supported by
    external_acl code and not by logformat code.

This patch:
   - Passes AccessLogEntry in most cases.
     For example, PeerConnector-related classes are now covered.
   - Implements the %<cert_subject formating code for logformat.


Still there are cases which are not handled correctly:
   - In the case of transparent SSL bumping, the patch uses a local 
AccessLogEntry to allow external_acl work with the ssl_bump access list.

  - The slow acls inside Ssl::PeerConnector can not support external_acl 
in the case of PeerPoolMgr

   - Most of the fast acls does not support ALE based acls. I know that 
currently the only ALE based acl is the external_acl, which is slow acl, 
but my opinion is that it is not bad idea  to support cases the 
external_acl result is stored in cache.

   - Also we need to check and review if the informations passed with 
the ALE is the same passed using the FilledChecklist object. This is not 
obvious.


This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert_subject_gone-t3.patch
Type: text/x-patch
Size: 42567 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160128/85a5198a/attachment-0001.bin>


More information about the squid-dev mailing list