[squid-dev] [PATCH] Fix external_acl problems

Christos Tsantilas christos at chtsanti.net
Mon Feb 1 15:09:55 UTC 2016


On 01/29/2016 02:46 PM, Amos Jeffries wrote:
> On 29/01/2016 8:10 a.m., Christos Tsantilas wrote:
>> Hi all,
>>
>> After the patch r14351 created the following problems:
>>   - external_acl requires AccessLogEntry but ALE is not available
>>     in many cases such as ssl_bump ACLs.
>>   - The %<cert_subject stopped working because it was supported by
>>     external_acl code and not by logformat code.
>>
>> This patch:
>>    - Passes AccessLogEntry in most cases.
>>      For example, PeerConnector-related classes are now covered.
>>    - Implements the %<cert_subject formating code for logformat.
>>
>>
>> Still there are cases which are not handled correctly:
>>    - In the case of transparent SSL bumping, the patch uses a local
>> AccessLogEntry to allow external_acl work with the ssl_bump access list.
>>
>>   - The slow acls inside Ssl::PeerConnector can not support external_acl
>> in the case of PeerPoolMgr
>>
>>    - Most of the fast acls does not support ALE based acls. I know that
>> currently the only ALE based acl is the external_acl, which is slow acl,
>> but my opinion is that it is not bad idea  to support cases the
>> external_acl result is stored in cache.
>>
>>    - Also we need to check and review if the informations passed with the
>> ALE is the same passed using the FilledChecklist object. This is not
>> obvious.
>>
>>
>> This is a Measurement Factory project.
>>
>
> +1. Please apply.
>
> But note that PeerConnector child classes are now in different files
> when merging to trunk.


Still I am not able to compile trunk.
I will merge to trunk after the problems is fixed.

>
> Amos
>
>


More information about the squid-dev mailing list