[squid-users] How to execute external helpers for each request ?

squid3 at treenet.co.nz squid3 at treenet.co.nz
Sat Jun 26 00:01:40 UTC 2021 

On 2021-06-26 01:16, hoper wrote:
> Hi again,
> 
>> If Squid trusts stale user credentials (i.e. allows new requests with
>> stale cached credentials without revalidating them with your
>> authentication helper), then this is a Squid bug.
> 
> No, I don't think there is a bug here.
> Because each time my helper is used by squid, it write a line in a
> dedicated log file.

A Squid bug would likely be later on.

Before we go any further. Which versino of Squid are you using.


> And it seems to work well. In detail :
> 
> Let's say I have a account in my DB with: user1,password1,proxy1
> As a client, I start my browser and connect myself with user1/password1
> 
> In my helper log file, all is good and I can see that squid used the 
> helper,
> and it's answer was "OK proxychoice=proxy1".
> 
> Now I switch from proxy1 to proxy2 for user1 in the database.
> 
> On my browser, I'm still authenticated as user1, and I'm still use 
> proxy1.
> (Ok, that's normal). Later, when the TTL is reached (2 minutes in the
> configuration I sent),
> I can see in my helper's log file that squid used it again. This time, 
> the
> answer was : "OK proxychoice=proxy2". So, all seems good here too.
> 
> But the routing did'nt change. The parent proxy used after 2 minutes
> is still proxy1, and
> it never change until I restart squid.
> 
> I hope to have better explain the problem. So you think there is a bug
> somewhere,
> or do we have a configuration problem ? How can we obtain the result
> we are looking for ?
> (Squid should change the parent proxy if needed after the
> authentication TTL period).
> 

You seem to think that user credentials are thrown away when they reach 
TTL. That is not true.

What actually happens is that shortly *before* TTL is reached they enter 
a grace period during which they will be refreshed using the helper. The 
info the helper provides is then used to *update* the existing 
credentials.

Also, the foo= annotations are additive by default. On more detailed 
inspection you will find the user has become "proxy1" *OR* "proxy2" 
allowed.



>> Insufficient demand for that feature does not allow me to provide a
>> reliable ETA at this time.
> 
> Do you have a vague idea of the cost of the developement of this 
> feature ?
> 

I'm not sure why Alex is offering a feature. A change to helper 
annotations was already implemented in Squid-5 to avoid this exact 
behaviour you are seeing.


> Thanks again.
> 


FYI. The Squid-5 code already has the feature implemented. It is only 
the Squid-4 code which behaves like above.

Amos

More information about the squid-users mailing list