[squid-users] What happens when duplicate external_acl_type are mentioned

Amish anon.amish at gmail.com
Sat Dec 1 14:17:28 UTC 2018

On 01/12/18 5:24 pm, Amos Jeffries wrote:
> On 2/12/18 12:15 am, Amish wrote:
>> Thank you for your quick response.
>> So if I pass %ul to external_acl_type, but dont use any auth_param,
>> squid dies with an error.
>> "Can't use proxy auth because no authentication schemes are fully
>> configured"
>> Is it possible for squid to not to die but instead warn and then just
>> pass "-" (dash) for %ul?
> The %ul code will generate an auth challenge exchange if no username is
> available. So the auth system must be setup with parameters to use in
> that challenge.
> Use %un for when username is optional.

With %un I have a problem.

I have referenced to external acl twice in my squid.conf.

Simplified setup:

external_acl_type ipuser queue-size=40 ttl=120 children-max=1 
children-startup=1 concurrency=20 %>a %un /usr/lib/squid/ip_to_user
acl proxyuser external ipuser
http_access allow proxyuser restrictedports
http_access allow proxyuser restrictedsites

where some ports and some sites are allowed only for some users.

so when I try %un (with no auth param set), external acl helper gets 
request two times.

First time with "-" and then again with username that external acl 
helper itself replied with.

Squid sends: 1 - -
Helper reply: 1 OK user=local
Squid sends: 2 local -

(Dash at end is due to automatic addition of %DATA macro by squid)

1 was triggered by first http_access line and
2 was triggered by second http_access because %un is either %ul or %ue 
(which is now known due to 1)

In my case, it becomes completely unnecessary and an additional processing.

That is why I was thinking of additional macro %uL (capital L)



More information about the squid-users mailing list