[squid-users] annotation and fast / slow acl

FUSTE Emmanuel emmanuel.fuste at thalesgroup.com
Tue Jun 20 12:55:26 UTC 2017 

Hello,

Thank you, it help a lot and clarify  things.


Emmanuel.

Le 20/06/2017 à 14:46, Amos Jeffries a écrit :
> On 20/06/17 22:55, FUSTE Emmanuel wrote:
>> Hello,
>>
>> I need to select a cache peer based on the user group.
>> As cache_peer_access need a fast acl to have predicable result, I tried to
>> - annotate transactions with "note"
>> - match the annotation with a fast acl
>> - use the acl in the cache_peer_access directive
>>
>> But I still got warning about slow acl in use where fast are required.
>> I am missing something ?
> The 'note' directive (different from the note ACL type) itself is a
> "fast" access control whose purpose is to add things into the log file.
> It only does its thing at the termination of a transaction right before
> logging.
>
>
> What you are wanting is to alter the external_acl_type helper (or write
> a script wrapper for it that changes the output). Such that when Squid
> sends it a lookup it generates an response to Squid saying something
> like this:
>
>    OK profil="$group_name"
>
> (where $group_name, is the group which matched)
>
>
> When that is working you can also vastly simplify your squid.conf by
> replacing all these:
>
>     acl StandardUser external ldap_group ACCESINTERNET
>     acl VIPUser external ldap_group ACCESCHARGEDECOM
>     acl NoNetUser external ldap_group INITIAL
>
> ... with a single helper ACL test:
>     acl group external ldap_group ACCESINTERNET ACCESCHARGEDECOM INITIAL
>
> ... which gets run only for authenticated users:
>     http_access deny !AuthorizedUsers
>     http_access allow group
>
> ... and use the note ACLs to do all your other access controls:
>     acl StandardUser note profil ACCESINTERNET
>     acl VIPUser note profil ACCESCHARGEDECOM
>     acl NoNetUser note profil INITIAL
>
>
>
> PS.
>> maximum_object_size_in_memory 50 MB
>> logformat squid [%tl] %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
> FYI: please do not try to define that "squid" log format in squid.conf.
> Squid does not follow that instruction, and may do unexpected things as
> a result. The latest releases will refuse to start if squid.conf
> contains these.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list