[squid-dev] Fake CONNECT requests during SSL Bump

[Eliezer Croitoru]

On 23/09/2015 04:52, Amos Jeffries wrote:
> Exactly. They are processing steps. Not messages to be adapted.
>
> Amos

+1 For that.

And I think that there is a big difference between Adapted content to ACLs.
If we do decide that ECAP\ICAP should be the right way to handle ACLs 
it's one thing but I think that it's much simpler to implement an 
external_acl helper which "talks" STDIN\OUT\ERR rather then implementing 
a whole ICAP service.
I had some really hard time getting my head off ICAP way of handling 
REQMOD POST requests or RESPMOD with a long body.
Maybe it's me not having fundamentals and experience but it is a fact 
that ICAP compared to external_acl helpers gives you a twist.
Most admins would be able to understand and write external_acl helpers 
rather than an ICAP services.

Also just a tiny note that from my basic tests with ECAP until now(And I 
do not mean to touch anyone toes) it seems that external_acl will slow 
less then an ECAP adapter if written properly.
Maybe I have used it wrongly but running a curl request in each and 
everyone of the adapted requests caused a very very long response time 
compared to the external_acl helper I am using.

In any case the bottom line from me is that for now ICAP and ECAP are 
called ADAPTATION services and not ACL services.
It can be extended to do so and it's not a part of the RFCs or 
definitions and it might be the right way to do things but it will 
require simple enough libraries that will let most admins (if not all) 
to be able to implement their ACL logics using these 
protocol\implementations.

Eliezer