[squid-users] Fwd: cache_peer_access by dynamic ACL

Alexeyяр Gruzdov my.shellac at gmail.com
Wed Apr 26 14:33:52 UTC 2023 

Thank you very much for you answer and explanation

Yep, I don’t use name “proxy” for annotations, it was just for example only
.

Bets regards!
Alexg



On Wed, 26 Apr 2023 at 18:34, Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 4/26/23 08:08, Alexeyяр Gruzdov wrote:
> > Oh... Looks like I just need to send as answer the list of my policy
> > acl, for example
> >
> > user1 wanted to go over peer1 and peer3
> > the answer from external script must be like  "OK proxy=peer1
> > proxy=peer3"  and looks like it works well like I need. User will go
> > over peer1 and peer3 only by round-robin.
>
> Instead of sending N same-name annotations to Squid, please try sending
> one annotation with a coma-separated list of N values:
>
>      proxy=peer1,peer3,peer4
>
> Rationale: Even if your current N-annotation setup "works", it is
> essentially relying on undefined and/or questionable behavior that may
> change. Using N-value annotations, you are avoiding that problem.
>
> The "note" ACL has -m option that tells Squid to interpret the
> annotation value as a list:
>
>      acl cleared_for_peer1 note -m proxy peer1
>      acl cleared_for_peer2 note -m proxy peer2
>      ...
>
>
> And, again, avoid using "proxy" as the annotation name: That name is
> currently reserved for Squid own use. Use "proxy_" or any other name
> ending with an underscore character. IMO, we should change the
> policy/code to be more admin-friendly, but that change may not happen
> for a long time, and modern Squids will warn you about reserved names
> like "proxy":
>
> https://github.com/squid-cache/squid/commit/27c36771bf145c2f8ca1efab6743b9e087867ab5
>
>
> HTH,
>
> Alex.
>
>
> > ср, 26 апр. 2023 г. в 15:40, Alexeyяр Gruzdov:
> >
> >     Hello!
> >     Yes!
> >     Thank you!
> >
> >
> >     One more question pls:
> >
> >     For example I have five of cache_peers and ACL associated  with some
> >     cache peer.
> >     As you know - I used the my external ACL script and now I can put
> >     the policy to answer fo my script and squid will get an answer and
> >     used the correct ACL for username.
> >     For example answer is  "OK  proxy=peer1"  and user will be used the
> >     cache_peer1, or if "OK proxy=all" and user will go over all of
> >     cache_peers by round-robin.
> >     All works well.
> >     But how I can put something like a list of ACL for user ?  for
> >     example  I want that some one user can go over peer1 and peer3 only,
> >     by round robin, but will be denied over peer2. peer4, peer5. Of
> >     course better using external ACL (as DB ). What do you think?
> >
> >
> >
> >
> >
> >
> >     пн, 24 апр. 2023 г. в 18:07, Alex Rousskov
> >     <rousskov at measurement-factory.com
> >     <mailto:rousskov at measurement-factory.com>>:
> >
> >         On 4/23/23 14:28, Alexeyяр Gruzdov wrote:
> >
> >          > One more may be last thing:  - I found the strange behavior
> >         - if I make
> >          > changes at my ext ACL script (its python ) and then "squid -k
> >          > reconfigure"  then I can see that my script appears in the
> >         "TOP" of
> >          > process and loads CPU to 100%
> >
> >         Check how your ACL script reacts to stdin closure/EOF. The
> >         script should
> >         quit but probably does not. Same for any stdin reading errors.
> >         On EOF,
> >         the script should use exit code zero. All these things are easy
> >         to test
> >         on the command line (without Squid).
> >
> >         Alex.
> >
> >          > вс, 23 апр. 2023 г. в 16:36, Amos Jeffries
> >         <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>
> >          > <mailto:squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>>>:
> >          >
> >          >     On 23/04/2023 5:27 pm, Alexeyяр Gruzdov wrote:
> >          >      > Hello Guys!
> >          >      > Thank you very much! For now all works like I needed!
> >          >      >
> >          >      > But I have an one more  questions about how I could to
> >         use the
> >          >     kv-pair:
> >          >     ...
> >          >      > and then ACL with “note proxy all “
> >          >      > But how the kv-pair must to be looked for this my tag ?
> >          >      >
> >          >      > I have tried to get answer from my ext script like
> >          >      > “OK”
> >          >      > “proxy=all”
> >          >      >
> >          >      > But looks like it’s not correct
> >          >      >
> >          >
> >          >     This part of the instructions were missed:
> >          >
> >
> https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <
> https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>
> >          >
> >           <
> https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <
> https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>>
> >          >     "
> >          >     For every line sent by Squid exactly one line is expected
> >         back. Some
> >          >     script language such as perl and python need to be
> >         careful about the
> >          >     number of newlines in their output.
> >          >     "
> >          >
> >          >     If your helper received something like this (with
> concurrency
> >          >     channel-id
> >          >     "1"):
> >          >
> >          >        "1 bob 192.0.2.1"
> >          >
> >          >     It should produce a line like:
> >          >         "1 OK proxy=all"
> >          >
> >          >     If no concurrency channel-id is received, then output is
> >         the same but
> >          >     without sending channel-id back and MUST be sent in same
> >         order as
> >          >     received.
> >          >
> >          >     I do recommend using concurrency. It can help further
> >         debug issues with
> >          >     helpers responding incorrectly.
> >          >
> >          >     HTH
> >          >     Amos
> >          >
> >          >     _______________________________________________
> >          >     squid-users mailing list
> >          > squid-users at lists.squid-cache.org
> >         <mailto:squid-users at lists.squid-cache.org>
> >          >     <mailto:squid-users at lists.squid-cache.org
> >         <mailto:squid-users at lists.squid-cache.org>>
> >          > http://lists.squid-cache.org/listinfo/squid-users
> >         <http://lists.squid-cache.org/listinfo/squid-users>
> >          >     <http://lists.squid-cache.org/listinfo/squid-users
> >         <http://lists.squid-cache.org/listinfo/squid-users>>
> >          >
> >          >
> >          > _______________________________________________
> >          > squid-users mailing list
> >          > squid-users at lists.squid-cache.org
> >         <mailto:squid-users at lists.squid-cache.org>
> >          > http://lists.squid-cache.org/listinfo/squid-users
> >         <http://lists.squid-cache.org/listinfo/squid-users>
> >
> >         _______________________________________________
> >         squid-users mailing list
> >         squid-users at lists.squid-cache.org
> >         <mailto:squid-users at lists.squid-cache.org>
> >         http://lists.squid-cache.org/listinfo/squid-users
> >         <http://lists.squid-cache.org/listinfo/squid-users>
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230426/bfafb96e/attachment-0001.htm>

More information about the squid-users mailing list