[squid-dev] effective acl for tcp_outgoing_address

Alex Rousskov rousskov at measurement-factory.com
Wed Jan 20 19:48:17 UTC 2021 

On 1/19/21 11:35 PM, Hideyuki Kawai wrote:

> I would like to map ip address based on username which is required proxy_auth (kerberos).
> Because, based on the squid docs (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/), tcp_outgoing_address can map based on "username".
> However, such acl types (ident, proxy_auth) are slow type. (http://www.squid-cache.org/Doc/config/acl/)
> So, it seems also can not use to cp_outgoing_address.... (I confused.)

You should be discussing this on squid-users, not squid-dev.


I hear several questions in your email:

Q1: Are ident and proxy_auth ACLs slow?

Answer: They are slow when the transaction first encounters them because
the first encounter triggers various (slow/asynchronous) authentication
procedures.

However, IIRC, these ACLs become fast when the same transaction has been
 successfully authenticated already -- post-authentication, Squid just
needs to check whether the already authenticated user matches the name
in the ACL parameter. That check can be performed instantaneously.

You may see the first authentication-related rule to have a special
REQUIRED keyword instead of a specific user name. Once that rule is
(slowly) evaluated for a transaction, that transaction can treat
specific authentication ACLs as "fast".


Q2: How to use a slow ACL with a directive that only supports fast ACLs?

Answer: Do not use a slow ACL with a directive that only supports fast
ACLs. Instead, use a slow ACL with an earlier directive that supports
slow ACLs _and_ remember the result of that earlier evaluation. The
remember the result of any ACL evaluation, use annotate_transaction or
annotate_client ACLs. To recall the that result, use a note ACL.

Every transaction in Squid goes through a series of directives. In most
cases, if your directive DF cannot handle slow ACLs, there is an earlier
directive DS that can:

  * directive1
  * directive2
  ...
  * http_access
  ...
  * tcp_outgoing_address
  ...
  * directive30
  ...

In many cases, http_access is a directive that is suitable for slow ACL
evaluation. YMMV.


Q3: Would not evaluating an ACL in the "wrong" directive change
transaction processing?

Answer: By itself, ACL evaluation does not trigger directive
application. The directive is applied only if all first-level ACLs in
the directive rule match. If necessary, this can be used to successfully
evaluate an ACL without triggering the directive application.

For example, the following http_access rule will never match, but, if it
is reached (i.e. if http_access is evaluated but all previous rules, if
any, do not match), it will annotate the transaction (or the client) as
transaction (or client) that should be using an specific outgoing address.

  acl userIsBob proxy_auth Bob
  acl markToUseAddressX annotate_client address=x
  http_access deny userIsBob markToUseAddressX !all

  acl markedToUseAddressX note address x
  tcp_outgoing_address x markedToUseAddressX


If you need to do many annotations, then you can either create many
http_access rules or, using basic boolean logic and all-of and any-of
ACLs, it is possible to group all those annotations into one top-level ACL:

  http_access deny annotateAsNeeded !all

Again, nothing is denied here.


HTH,

Alex.



> 
> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com> 
> Sent: Thursday, January 14, 2021 11:25 PM
> To: squid-dev at lists.squid-cache.org
> Cc: Hideyuki Kawai(川井秀行) <h.kawai at ntt.com>
> Subject: Re: [squid-dev] effective acl for tcp_outgoing_address
> 
> On 1/13/21 7:47 PM, Hideyuki Kawai wrote:
> 
>> 1. "external_acl" can not use on tcp_outgoing_address. Because the 
>> external_acl type is slow. My understanding is correct?
> 
> 
> Yes, your understanding is correct. There are cases where a slow ACL "usually works" with a tcp_outgoing_address directive due to ACL caching side effects, and there are many examples on the web abusing those side effects, but you should not rely on such accidents when using modern Squid versions.
> 
> 
>> 2. If yes, how to solve my requirement?
> 
> Use an annotation approach instead. The "note" ACL is fast, and the external ACL helper can annotate transactions (and connections) in modern Squids. The only difficulty with this approach is to find a directive that satisfies all of the conditions below:
> 
> 1. supports slow ACLs
> 2. evaluated after the info needed by the external ACL helper is known 3. evaluated before tcp_outgoing_address
> 
> In many cases, http_access is such a directive, but YMMV.
> 
> 
> HTH,
> 
> Alex.
> P.S. FWIW, I can agree with one Eliezer statement on this thread: This thread belongs to squid-users, not squid-dev.
>

More information about the squid-dev mailing list