[squid-users] Passing Proxy Protocol Headers to external ACL

Frida Safran fsafran at proofpoint.com
Mon Jun 14 06:29:20 UTC 2021 

Hi Alex,

Thanks for the quick response.

Regarding proxy_protocol - is there a known patch for v4 I could use by any chance?

Regarding icap, I suppose the acl is getting evaluated before the icap and that is why they aren't available:

external_acl_type TransactionClassificator \
    concurrency=0 \
    children-max=2 \
    ttl=60 \
    %ssl::>sni \
    /usr/local/squid/bin/classify-transaction.sh

acl classifyRequest external TransactionClassificator

acl step1 at_step SslBump1
acl step2 at_step SslBump2

ssl_bump peek step1
ssl_bump splice step2 classifyRequest
ssl_bump stare all
ssl_bump bump all


Thanks,
Frida
________________________________
From: Alex Rousskov <rousskov at measurement-factory.com>
Sent: Sunday, June 13, 2021 17:46
To: squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Cc: Frida Safran <fsafran at proofpoint.com>
Subject: Re: [squid-users] Passing Proxy Protocol Headers to external ACL

On 6/13/21 7:31 AM, Frida Safran wrote:

>  1. Is it possible to pass proxy protocol headers to an external acl as
>     part of the format?

It should be possible. Use %proxy_protocol::>h logformat %code in your
external_acl_type FORMAT configuration. We added that support to Squid
v5. Not available in the official v4.


>  2. Is it possible to pass all/specific icap headers to an external acl?
>     I have been trying to use %icap::>h to pass all the icap headers to
>     an external acl, but it resolves to "-"

It should be possible if your external ACL is evaluated _after_ the
corresponding ICAP headers are received, but I would not be surprised if
there are bugs in this area -- the ICAP headers may be available but not
 provided to the ACL evaluation code. Which squid.conf directive is
triggering your external ACL evaluation in this use case?


HTH,

Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210614/3cabab42/attachment.htm>

More information about the squid-users mailing list