[squid-users] What happens when duplicate external_acl_type are mentioned

Amish anon.amish at gmail.com
Sat Dec 1 05:32:33 UTC 2018



I have a squid.conf file which includes 2 files.

include pre.conf
include main.conf

main.conf will never be changed and contains most of the config and an 
external acl helper with roughly following directives:

external_acl_type ipuser queue-size=40 ttl=120 children-max=1 
children-startup=1 concurrency=20 %>a /usr/lib/squid/ip_to_user
acl proxyuser external ipuser
http_access deny !proxyuser

This helper simply reads IP address and returns username (OK user=xyz) 
or ERR.

Squid blocks the access if no user was found.


Sometimes we switch to basic proxy authentication via database and do 
not require IP to user conversion.

So I add following lines to pre.conf

auth_param basic program /usr/lib/squid/basic_db_auth <arguments>
external_acl_type ipuser queue-size=40 ttl=120 children-max=1 
children-startup=1 concurrency=20 %>a %ul /usr/lib/squid/ip_to_user

%ul - forces squid to ask for authentication and same is passed to 

ip_to_user detects that user is already known and hence returns same 
user back without processing IP address.

This works as expected but I have a question / doubt.


Effectively squid.conf now has two external_acl_type lines with same 
name. (ipuser)

First one has %ul and other one does not.

 From my tests - first one gets the priority and second one is ignored 
by squid.

So my questions are:
1) Can I assume this to be always true?
2) Can there be a case where second gets called instead of first?
3) Can I expect this assumption to remain the same in future too?

Please guide.

Thank you in advance.



More information about the squid-users mailing list