[squid-dev] effective acl for tcp_outgoing_address
Eliezer Croitoru
ngtech1ltd at gmail.com
Thu Jan 14 12:47:00 UTC 2021
Sorry there was a typo.
There are couple of places in the code that check ACLS.
IN -> PROXY PARSERS -> OUT
Fast acls are these for places which we cannot or won't delay the request.
The place which can take slow acls are before the OUT(simplified example abvoe).
You can apply slow ACLS at http_access layer and the notes are staying withing the request/session.
But on the OUT stage squid will not "stop" or "hold" the request until the helper will respond.
The IP address choice is in the "kernel" level so we must have the resolution for this "fast" and not "s-l-o-w".
I hope this answers you. If not .. ask again.
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon
-----Original Message-----
From: Hideyuki Kawai <h.kawai at ntt.com>
Sent: Thursday, January 14, 2021 2:22 PM
To: Eliezer Croitoru <ngtech1ltd at gmail.com>
Cc: squid-dev at lists.squid-cache.org
Subject: RE: [squid-dev] effective acl for tcp_outgoing_address
Dear Eliezer
Thank you for your reply.
Could you let me ask you about your comment.
"slow acl" can use in tcp_outgoing_address?
Best regards,
Kawai
-------------------------------------
h.kawai at ntt.com
-------------------------------------
-----Original Message-----
From: Eliezer Croitoru <ngtech1ltd at gmail.com>
Sent: Thursday, January 14, 2021 8:36 PM
To: Hideyuki Kawai(川井秀行) <h.kawai at ntt.com>
Cc: squid-dev at lists.squid-cache.org
Subject: RE: [squid-dev] effective acl for tcp_outgoing_address
It's more of an users question.
Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision is "required"
You can "pre-cook" the value of a specific note when the connection is only at the first http_access level.
An example for a setup which does probably what you want based on htaccess passwords you can here:
https://github.com/elico/vagrant-squid-outgoing-addresses
It's a vagrant lab which demonstrate this.
Let me know if it helps you or you need clarification.
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon
-----Original Message-----
From: squid-dev <squid-dev-bounces at lists.squid-cache.org> On Behalf Of Hideyuki Kawai
Sent: Thursday, January 14, 2021 2:48 AM
To: squid-dev at lists.squid-cache.org
Subject: [squid-dev] effective acl for tcp_outgoing_address
Hi, this is Kawai.
Please let me send inquiry as followings.
### Requirement ###
1. Kerberos auth with Active Directory : auth_param ..... <- Success
2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success
3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail
### Inquiry ###
1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow.
My understanding is correct?
2. If yes, how to solve my requirement?
Please let me inform your comment and knowledge.
Thanks in advance.
-------------------------------------
h.kawai at ntt.com
-------------------------------------
_______________________________________________
squid-dev mailing list
squid-dev at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
More information about the squid-dev
mailing list