[squid-users] squid 5.1: external_acl_type: Get public remote address

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 16 19:03:37 UTC 2021


On 9/16/21 2:52 PM, David Touzeau wrote:

> It is true that it would be possible to use an external_acl in the
> http_reply_access.
> 
> Do you think that adding it in this position I would be able to use
> squid's resolution results ?

Yes, bugs notwithstanding, an external ACL evaluated at
http_reply_access time should have access to %<a.

HTH,

Alex.


> Le 16/09/2021 à 19:43, Alex Rousskov a écrit :
>> On 9/16/21 1:30 PM, David Touzeau wrote:
>>
>>> I'm turning to create a DNS resolution dev and I'm giving up looking
>>> retreive this information through Squid.
>> Please note that if you do your own DNS resolution, then Squid DNS
>> resolution results will probably mismatch your results in some cases.
>> There have been many complaints about associated problems from folks
>> that went this route...
>>
>> I am not sure what you are trying to do with that a %<a-based external
>> ACL in Squid, so it is difficult to narrow down the solution search
>> scope, but Squid does support slow ACLs in certain directives used when
>> talking to origin servers or peers (after built-in DNS resolution and
>> destination selection) so perhaps there is a way to do what you want
>> without Squid modifications.
>>
>> If there is not, it would not be difficult to add a post-resolution
>> directive that supports slow ACLs IMO, but, again, that requires more
>> knowledge of the use case -- there are several places where such a
>> directive can be added.
>>
>>
>> Cheers,
>>
>> Alex.
>>
>>
>>
>>> Le 16/09/2021 à 19:13, Amos Jeffries a écrit :
>>>> On 17/09/21 2:42 am, David Touzeau wrote:
>>>>> Thanks Amos for quick answer.
>>>>>
>>>>> Can you take away any hope of a workaround with Squid ?
>>>>>
>>>>> This makes me plan having to develop a function that has to perform
>>>>> DNS resolution inside the helper with the performance consequences
>>>>> that this will impose.
>>>>>
>>>> I would be looking at a design where a helper classifies requests and
>>>> using that later on when the server is known to match up the IP vs the
>>>> classification. I'm struggling to think of a flow that works
>>>> efficiently though.
>>>>
>>>> Amos
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list