[squid-users] Display eCAP meta-information on Squid error-page

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 5 10:51:27 UTC 2018

On 05/06/18 21:27, chgerber wrote:
> "It is best to use %note logformat %code for logging annotations. 
> The %adapt::<last_h code is meant for adaptation services debugging (and 
> to work around the current ICAP code lack of support for annotations)." 
> How exactly can I use %note to log the same information to access.log? For
> example assume I use "%{my-ecap-header}adapt::<last_h" how can I log the
> same using %note as you suggested? 


or %<h{header-name}

or %>h{header-name}

Depending on how your adaptor produces it. As an annotation (note) or as
an HTTP message header to be delivered to the client or server.

> Related question: 
> Can I apply ACL's to annotations served by eCAP adapters. Say when
> %{my-ecap-header}adapt::<last_h or the same solution with %note respectively
> (see first part of post) returns "bad" I want squid to deny the access and
> grant access when it returns "good"? I know about the eCAP specific
> virginBlock() function.

That sounds like a rather inefficient use of an adaptor.

The adaptor API purpose is to alter HTTP messages as they travel through
the proxy, not to be a substitute for access control logic already
available in the proxy. So what your adaptor SHOULD be doing is simply
producing the 403 Forbidden message itself.

By using a header as described you are forcing Squid to:
  receive adapted message from eCAP
  re-parse that altered message,
  erase that altered message,
  generate a new denial (403) message, and
  deliver to client.

Instead of:
 receive adapted (403) message from eCAP
  re-parse that altered message,
 deliver to client.

As you can see its a whole extra round of message processing and memory
allocation. Doubling the CPU cycles spent, and the traffic latency costs
incurred by using the proxy.

There is an "external ACL" interface provided for complex authorization
logics to be offloaded to a helper process with more capabilities than
the proxy. That should be used instead of eCAP/ICAP adaptors.


More information about the squid-users mailing list