[squid-users] cache_peer selection based on username

Eliezer Croitoru ngtech1ltd at gmail.com
Tue Jan 12 08:17:44 UTC 2021 

Hey Amos,

One thing that the auth helper cannot do with this note is the ttl.
The auth ttl is different then the request IP binding/routing.
With separated auth and external_acl helper you can change/apply a note/rule/acl in a lower ttl
ie 3 seconds which can be critical to some applications.
If one ip goes down for any reason you can change the routing.
I would have expected for the note to stick if the ttl is either 0 or 1 for the relevant session.
This so we would rely on the helper to be "live" helper per request.

I know that 0-3 is almost the same like 0-5 but some prefer to use 0-1.

Eliezer 

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon


-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Tuesday, January 12, 2021 3:46 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] cache_peer selection based on username

On 11/01/21 8:06 am, roee klinger wrote:
> Thanks, Eliezer, I was able to get it working.
> Here is an example in case anybody runs into this in the future:
> 
>     acl mynote1 note mykey note1
>     acl mynote2 note mykey note2
> 

FYI, key names ending with "_" character are reserved for custom keys 
like this.


>     external_acl_type user_whitelist_external children-max=20 ttl=300
>     %>lp %>a script.sh

NP: this does not check for users or authenticated traffic at all. It is 
only using the client-IP and Squid receiving port number.

To meet the earlier stated requirement about authenticated traffic the 
helper format should contain %un. The lines below should follow the 
http_access rules doing authentication checks.


You could also have the helper doing authentication send the notes to 
Squid. eg as a group name.



>     acl whitelisted_users external user_whitelist_external
>     http_access allow whitelisted_users
> 
>     nonhierarchical_direct off
>     never_direct allow all
>     cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
>     cache_peer_access proxy1 allow mynote1
>     cache_peer_access proxy0.2 deny all
>     cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
>     cache_peer_access proxy2 allow mynote2
>     cache_peer_access proxy0.3 deny all
> 

NP: there is no peer named "proxy0.2" or "proxy0.3" so those deny lines 
are not doing anything. The only reason this config does what it appears 
at first glance to do, is that the inverted default for the prox1 and 
proxy2 peer access rules default is deny.


> 
> Then, on the external helper, I return one of these two:
> 
>     OK mykey=note1
>     OK mykey=note2
> 
> 


Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list