[squid-dev] effective acl for tcp_outgoing_address

Hideyuki Kawai h.kawai at ntt.com
Wed Jan 20 04:35:56 UTC 2021 

Dear Mr.Alex,

Thank you very much for your reply.

I have one more question about slow acl type related with tcp_outgoing_address.
(I give up the solution based on "AD security group.)

Then, I would like to map ip address based on username which is required proxy_auth (kerberos).
Because, based on the squid docs (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/), tcp_outgoing_address can map based on "username".
However, such acl types (ident, proxy_auth) are slow type. (http://www.squid-cache.org/Doc/config/acl/)
So, it seems also can not use to cp_outgoing_address.... (I confused.)

Do you have any comment?
If you give some comment my question, it is helpful for my understanding...

====== reference (http://www.squid-cache.org/Doc/config/acl/) ======
	acl aclname ident [-i] username ...
	acl aclname ident_regex [-i] pattern ...
	  # string match on ident output [slow]
	  # use REQUIRED to accept any non-null ident.

	acl aclname proxy_auth [-i] username ...
	acl aclname proxy_auth_regex [-i] pattern ...
	  # perform http authentication challenge to the client and match against
	  # supplied credentials [slow]
	  #
	  # takes a list of allowed usernames.
	  # use REQUIRED to accept any valid username.
	  #
	  # Will use proxy authentication in forward-proxy scenarios, and plain
	  # http authenticaiton in reverse-proxy scenarios
	  #
	  # NOTE: when a Proxy-Authentication header is sent but it is not
	  # needed during ACL checking the username is NOT logged
	  # in access.log.
	  #
	  # NOTE: proxy_auth requires a EXTERNAL authentication program
	  # to check username/password combinations (see
	  # auth_param directive).
	  #
	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
	  # as the browser needs to be configured for using a proxy in order
	  # to respond to proxy authentication.
======================

Best regards,
Kawai

-------------------------------------
h.kawai at ntt.com
-------------------------------------

-----Original Message-----
From: Alex Rousskov <rousskov at measurement-factory.com> 
Sent: Thursday, January 14, 2021 11:25 PM
To: squid-dev at lists.squid-cache.org
Cc: Hideyuki Kawai(川井秀行) <h.kawai at ntt.com>
Subject: Re: [squid-dev] effective acl for tcp_outgoing_address

On 1/13/21 7:47 PM, Hideyuki Kawai wrote:

> 1. "external_acl" can not use on tcp_outgoing_address. Because the 
> external_acl type is slow. My understanding is correct?


Yes, your understanding is correct. There are cases where a slow ACL "usually works" with a tcp_outgoing_address directive due to ACL caching side effects, and there are many examples on the web abusing those side effects, but you should not rely on such accidents when using modern Squid versions.


> 2. If yes, how to solve my requirement?

Use an annotation approach instead. The "note" ACL is fast, and the external ACL helper can annotate transactions (and connections) in modern Squids. The only difficulty with this approach is to find a directive that satisfies all of the conditions below:

1. supports slow ACLs
2. evaluated after the info needed by the external ACL helper is known 3. evaluated before tcp_outgoing_address

In many cases, http_access is such a directive, but YMMV.


HTH,

Alex.
P.S. FWIW, I can agree with one Eliezer statement on this thread: This thread belongs to squid-users, not squid-dev.

More information about the squid-dev mailing list