[squid-dev] effective acl for tcp_outgoing_address

Fri Jan 15 09:08:28 UTC 2021

if you will provide a squid.conf we can try to use this and give you an
example.

On Fri, Jan 15, 2021, 02:54 Hideyuki Kawai <h.kawai at ntt.com> wrote:

> Dear Amos, Alex, Eliezer,
>
>
>
> Thank you for your support.
>
> Sorry for my low experience and knowledge…
>
>
>
> Your comment is helpful for me, and could you let me know more about
> "note" ACL.
>
> I can not understand it, even checking the website.
>
>
>
> Q1. Could you let me know about “note” ACL?
>
> Q2. If possible, sample config which is using(combined)
> “ext_kerberos_ldap_group_acl” and “tcp_outgoing_address” and “note ACL”.
>
>
>
> Again, thanks for your support.
>
>
>
> Best regards,
>
> Kawai
>
>
>
> *From:* squid-dev <squid-dev-bounces at lists.squid-cache.org> *On Behalf Of
> *?Amos Jeffries?
> *Sent:* Friday, January 15, 2021 8:16 AM
> *To:* Alex Rousskov <rousskov at measurement-factory.com>;
> squid-dev at lists.squid-cache.org
> *Subject:* Re: [squid-dev] effective acl for tcp_outgoing_address
>
>
>
> FYI, this use case is why recent versions of kerberos auth helper being
> used in the OP config produces group= annotations for authenticated users.
> The note ACL mentioned can check for group SSID any of the fast access
> checks.
>
> Amos
>
>
>
> -------- Original message --------
> From: Alex Rousskov <rousskov at measurement-factory.com>
> Date: Fri, 15 Jan 2021, 03:25
> To: squid-dev at lists.squid-cache.org
> Subject: Re: [squid-dev] effective acl for tcp_outgoing_address
>
> On 1/13/21 7:47 PM, Hideyuki Kawai wrote:
>
> > 1. "external_acl" can not use on tcp_outgoing_address. Because the
> > external_acl type is slow. My understanding is correct?
>
>
> Yes, your understanding is correct. There are cases where a slow ACL
> "usually works" with a tcp_outgoing_address directive due to ACL caching
> side effects, and there are many examples on the web abusing those side
> effects, but you should not rely on such accidents when using modern
> Squid versions.
>
>
> > 2. If yes, how to solve my requirement?
>
> Use an annotation approach instead. The "note" ACL is fast, and the
> external ACL helper can annotate transactions (and connections) in
> modern Squids. The only difficulty with this approach is to find a
> directive that satisfies all of the conditions below:
>
> 1. supports slow ACLs
> 2. evaluated after the info needed by the external ACL helper is known
> 3. evaluated before tcp_outgoing_address
>
> In many cases, http_access is such a directive, but YMMV.
>
>
> HTH,
>
> Alex.
> P.S. FWIW, I can agree with one Eliezer statement on this thread: This
> thread belongs to squid-users, not squid-dev.
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20210115/f2b36fce/attachment.htm>