[squid-users] squid 5.1: external_acl_type: Get public remote address

David Touzeau david at articatech.com
Thu Sep 16 14:42:05 UTC 2021


Thanks Amos for quick answer.

Can you take away any hope of a workaround with Squid ?

This makes me plan having to develop a function that has to perform DNS 
resolution inside the helper with the performance consequences that this 
will impose.



Le 16/09/2021 à 16:21, Amos Jeffries a écrit :
> On 16/09/21 10:09 pm, David Touzeau wrote:
>> Hi comunity, Squid fans
>>
>> I would like to use an external acl process for Geoip processing
>>
>> i have tried to setup squid to send the remote peer address using %<a 
>> code but it always reply with a "-"
>>
>> external_acl_type MyGeopip ttl=3600 negative_ttl=3600 
>> children-startup=2 children-idle=2 children-max=20 concurrency=1 ipv4 
>> %un %SRC %SRCEUI48 %>ha{X-Forwarded-For} %DST %ssl::>sni 
>> %USER_CERT_CN %note %<a /lib/squid3/squid-geoip
>>
>> acl MyGeopip_acl external MyGeopip
>> http_access deny !MyGeopip_acl
>>
>> I was thinking that Squid call the helper before resolving the remote 
>> route.
>>
>
> The problem is there is no server/peer connection at all for a 
> transaction that has only been received and not yet processed by Squid.
>
>
>> So to force it, i have added a "fake" acl to force Squid to calculate 
>> the remote address.
>>
>> acl fake_dst dst 127.0.0.2
>> http_access deny !fake_dst !MyGeopip_acl
>>
>> But it failed too, the external_acl still receive the "-" instead of 
>> the remote public IP address of the server
>>
>
> Aye. There is still no server.
>
> All this dst ACL changed was that Squid knows a group of IPs it 
> *might* select from. The decision whether to use one of them (or 
> somewhere entirely different) has not yet been made, so there is still 
> no server.
>
> The "%<a" displays the "last server or peer connection". It can change 
> when automated retries are done, and is "-" at all points before any 
> server contact.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210916/07a98d70/attachment.htm>


More information about the squid-users mailing list