[squid-users] Dstdomain from external ACL

Alexeyяр Gruzdov my.shellac at gmail.com
Mon Jul 24 05:26:39 UTC 2023 

Hello!

For get it worked I used the next things:

1. In squid.conf
      external_acl_type ext_proxy_url_acl_type ttl=10 children-max=30
children-startup=5 ipv4 %LOGIN %DST /etc/squid/ext_helper/ext_acl_urls.py
2. Inside of my acl_url_direct.conf
                   acl proxy_direct_url_mark_acl external
ext_proxy_url_acl_type
                   acl proxy_direct_url_acl note url_name passed
3. Inside of http_acces.conf

                   http_access deny proxy_direct_url_mark_acl !all

4. The my owned helper reads the incoming arguments like login and dst url
and then checks url in the DB,  then replies something like:
                 OK url_name=passed   (if url is in DB)
                     or
                 ERR
   And of course If I got the OK I can use the acl  called
"proxy_direct_url_acl" in policy I wanted.

My case as a whole is to pass the URL to the  cache_peers, but some URL
must be proxying  on the server (without forwarding to the cache_peers).
This was so curious to know how the squid parses these URL's (to prevent
the problems in the future).



Best Regards.
Alexey

сб, 22 июл. 2023 г. в 12:12, Amos Jeffries <squid3 at treenet.co.nz>:

> On 22/07/23 17:20, Alexeyяр Gruzdov wrote:
> > Wow…
> > Thank you so much !
> >
> > For now I used a simple .py script that checks if url is in table and
> > send reply OK or ERR, depends from result.
> >
> > But allow ask you - how squid parse the url???
> > I think it uses the regexp, is that true???
>
> All parsers in the 'squid' binary perform full parse with validation.
>
>
> >
> > Because for example if I add the url to DB like example.com
> > ( base url name)
> > And if the proxy request will be even like to example.com/page1/
> >  - this will be matched. That’s great.
> >
>
> Oh, there are many moving parts involved there.
>
> First is the HTTP request URL that Squid received, it could be any of
> origin-form, authority-form, or relative-url.
>
> (... probably you configured Squid to only send the URL domain name to
> the helper.)
>
> Second is what details you configured the external_acl_type directive to
> pass on.
>
> Third is how the helper receives its input. The helper I suggested uses
> Perl string split to separate the concurrency channel-ID from the UID
> portion and pack("H*",...) for binary safety.
>
> Fourth is how the helper is using its input to lookup the database.
>   The helper I suggested uses SQL "=" operator, whose matching is
> string-wise exact equality.
>
> As far as I know only the Perl string split is potentially using regex,
> but not in any way which would case the behaviour you describe.
>
> If you are still using your own custom helper, look into how it is doing
> those third and fourth things.
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230724/70e80990/attachment.htm>

More information about the squid-users mailing list