[squid-users] Help: squid restarts and squidGuard die

Tue Sep 25 00:48:02 UTC 2018

On 25/09/18 7:07 AM, Marcus Kool wrote:
> The sub-thread starts with "do not use the url rewriter helper because
> of complexity"

The thread started earlier than that, with essentially "move simple
rules to squid.conf"

On 18/09/18 6:38 AM, Amos Jeffries wrote:
>
> I recommend you convert as many of your filtering rules as you can into
> normal Squid ACLs. Traffic which is being blocked for simple reasons can
> be done much more efficiently by Squid than a helper.
>

The statement about the helper being complex came later after a
misunderstanding by the OP about what the tools were used for.

You are paraphrasing in a way which changes the meaning of my actual
statement. I was clearly and explicitly advising the OP to work towards
"less complexity" and pointing out that the helper (any helper) is
complex and to be avoided when a simpler solution is also available.

> and ends with that the (not less complex) external acl helpers are fine
> to use.

They are ... when needed. Having them do everything from src-IP check to
re-authenticating a login Squid already authenticated passed it is
needless extra complexity as a long-term solution.

> And in between there is an attempt to kill the URL rewriter interface.
> 

No, just the use of the rewriters for access control. In the context of
an OP who is using a rewriter for a fairly simple set of blacklist and
whitelist of traffic - which got diverted into a debate of Squid vs
re-writer feature comparisons.

You brought up the topic of removing the interface. As I responded then,
there are still use-cases for it. Just, access control is not one of
those cases.

> It would be a lot less confusing if you started with something like
>    I do not like the URL rewriter interface, use the external acl one
> 

That would be only a small amount better (improvement in principle, no
longer destructive for the state lost when re-writing - still complex in
practice). I am pointing the OP at something that should work a bit
better than even that semi-theoretical improvement. They may or may not
end up with a helper still being used, but either way re-assessing this
1980's style config will improve their situation for modern traffic.

>>> ufdbGuard supports dynamic lists of users, domains and source ip
>>> addresses which are updated every X minutes without any service
>>> interruption.
>>
>> So does Squid, via external ACL and/or authentication.
> 
> Aren't you confusing what Squid itself and what Squid+helpers can do?

There is crossover. Though we are delving into realms of principle here.
The data available to the helper running on the URL-rewrite interface is
quite limited - the other interfaces (external ACL in particular) have
wider scope and much more flexibility in what Squid can do with them.

For example SG and ufdbguard may be able to load dynamic lists of users,
but cannot make Squid generate authentication challenge with the correct
parameters to authenticate those users. They can only re-check an
already authenticated username (without access to the password details)
or rewrite/redirect to a third-party server that does so.
 Whereas looking up users in some "dynamic list" without needing a
reconfigure of Squid is pretty much the essence of what auth user/group
helpers do. It is rare to find a never-changing list of users.

Amos