[squid-users] Display eCAP meta-information on Squid error-page

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 5 15:59:38 UTC 2018

On 06/05/2018 04:51 AM, Amos Jeffries wrote:

> The adaptor API purpose is to alter HTTP messages as they travel through
> the proxy, not to be a substitute for access control logic already
> available in the proxy.

This statement is incorrect for legitimate use cases where the required
access control logic is not supported by Squid internally. A typical
alternation-free example is content analysis (which Squid ACLs cannot

> So what your adaptor SHOULD be doing is simply
> producing the 403 Forbidden message itself.

Sometimes, that is the best solution indeed, but it may also be a bad
solution in some cases because it can be slower and because it
duplicates (or discards) a lot of advanced functionality already
implemented in Squid. The rule of thumb here is "If Squid can generate
the right blocking message, use Squid (instead of the adapter) to
generate the right blocking message".

> By using a header as described you are forcing Squid to:
>   receive adapted message from eCAP
>   re-parse that altered message,
>   erase that altered message,
>   generate a new denial (403) message, and
>   deliver to client.

Adapter implementors are not "forced" to use the above sequence of
steps: The first three steps do not have to happen (they are optional).
An optimized adapter implementation that lets Squid generate the
blocking message is limited to the last two steps from your list:

   generate a new denial (403) message, and
   deliver to client.

> There is an "external ACL" interface provided for complex authorization
> logics to be offloaded to a helper process with more capabilities than
> the proxy. That should be used instead of eCAP/ICAP adaptors.

An adapter may be a better solution than the external ACL in some cases.
The actual decision logic here is roughly as follows:

* If built-in ACLs alone are sufficient, then
  use just the built-in ACLs. They are usually simpler and faster.

* If an external ACL is sufficient and performance is not an issue, then
  use an external ACL. It is a lot simpler to implement than an adapter.

* If the decision logic involves message body analysis, then
  use an eCAP adapter or an ICAP service. Others do not get content.

* Otherwise, carefully evaluate external ACLs vs eCAP adapter choice
  given your use case specifics. eCAP can be faster than an external
  ACL or vice versa.



More information about the squid-users mailing list