[squid-users] Best practice for adding or removing ACLs dynamically ?

Eliezer Croitor ngtech1ltd at gmail.com
Sun Nov 1 00:40:58 UTC 2020

Hey Roee,

I am trying to understand what part of squid.conf you want to be able to change without a reconfigure/reload?
If you have many users, ie above 50 you should probably not use a simple ncsa_auth although  it's possible and in more then one case is preferable.
You could probably write your own basic auth helper that will interact with a DB which will probably simplify your whole setup.
(You can use existing basic auth helpers with mysql or ldap)

As for the tcp_outgoing_address, it’s a whole different story.
Since it's a "fast" acl type the options to do something dynamic with it are an issue.
(Maybe eCAP/ICAP service or a "pre-cooked" note or other factor to the acl can be used)

I am pretty sure that if an authentication service can reply with a note ie connection annotation then it can be used for the address selection.
One issue with it is that It will be valid for the next X ttl seconds/minutes/hours.

I do believe that there should be a way to allow something like external_acl helper to affect this squid feature.
I was thinking that an eCAP or an ICAP service or an external_acl helper can add a note for a connection based on couple other factors like:
* src ip
* auth username
* request domain or request sni
* ...

So let say the proxy will have a set of 100 addresses, each will have a single specific matching acl for a request header or connection annotation/note.
This way the selection of a tcp_outgoing_address would be a little less complex the it is today.

I have couple other ideas for implementations which I have experimented with but the proxy admin need to learn how these work which might be
a bit complicated some times.

Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of roee klinger
Sent: Saturday, October 31, 2020 2:35 AM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Best practice for adding or removing ACLs dynamically ?

I have Squid configured to send users to different outgoing interface like so:

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpassword
acl acl_for_user3002 proxy_auth user2
tcp_outgoing_address acl_for_user3002
http_port 3002 name=3002
http_access allow authenticated

When I wanted to change the username:password for user2, I run a bash script to change it in squid.conf and also in htpassword and then I run "squid -k reconfigure", if I don't reconfigure the old user still has access to the proxy and the new one doesn't for about 30 minutes.

I am expecting to have 100s of users soon that will change credentials often, and also I would like to blacklist websites often and on the fly, so I was searching for a better way to manage this without reconfiguring every time, since sometimes a reconfigure can take up to 10-15 seconds.

I am new to Squid and wasn't able to find any info on this, am I doing this currently or there is a better way to change users/ACLs on the fly without reloading Squid?

Roee Klinger
squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-users mailing list