[squid-dev] effective acl for tcp_outgoing_address

Hideyuki Kawai h.kawai at ntt.com
Fri Jan 15 00:54:18 UTC 2021

Dear Amos, Alex, Eliezer,

Thank you for your support.
Sorry for my low experience and knowledge…

Your comment is helpful for me, and could you let me know more about "note" ACL.
I can not understand it, even checking the website.

Q1. Could you let me know about “note” ACL?
Q2. If possible, sample config which is using(combined) “ext_kerberos_ldap_group_acl” and “tcp_outgoing_address” and “note ACL”.

Again, thanks for your support.

Best regards,

From: squid-dev <squid-dev-bounces at lists.squid-cache.org> On Behalf Of ?Amos Jeffries?
Sent: Friday, January 15, 2021 8:16 AM
To: Alex Rousskov <rousskov at measurement-factory.com>; squid-dev at lists.squid-cache.org
Subject: Re: [squid-dev] effective acl for tcp_outgoing_address

FYI, this use case is why recent versions of kerberos auth helper being used in the OP config produces group= annotations for authenticated users. The note ACL mentioned can check for group SSID any of the fast access checks.


-------- Original message --------
From: Alex Rousskov <rousskov at measurement-factory.com<mailto:rousskov at measurement-factory.com>>
Date: Fri, 15 Jan 2021, 03:25
To: squid-dev at lists.squid-cache.org<mailto:squid-dev at lists.squid-cache.org>
Subject: Re: [squid-dev] effective acl for tcp_outgoing_address
On 1/13/21 7:47 PM, Hideyuki Kawai wrote:

> 1. "external_acl" can not use on tcp_outgoing_address. Because the
> external_acl type is slow. My understanding is correct?

Yes, your understanding is correct. There are cases where a slow ACL
"usually works" with a tcp_outgoing_address directive due to ACL caching
side effects, and there are many examples on the web abusing those side
effects, but you should not rely on such accidents when using modern
Squid versions.

> 2. If yes, how to solve my requirement?

Use an annotation approach instead. The "note" ACL is fast, and the
external ACL helper can annotate transactions (and connections) in
modern Squids. The only difficulty with this approach is to find a
directive that satisfies all of the conditions below:

1. supports slow ACLs
2. evaluated after the info needed by the external ACL helper is known
3. evaluated before tcp_outgoing_address

In many cases, http_access is such a directive, but YMMV.


P.S. FWIW, I can agree with one Eliezer statement on this thread: This
thread belongs to squid-users, not squid-dev.
squid-dev mailing list
squid-dev at lists.squid-cache.org<mailto:squid-dev at lists.squid-cache.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20210115/661ddc10/attachment-0001.htm>

More information about the squid-dev mailing list