[squid-users] annotation and fast / slow acl

[Amos Jeffries]

On 20/06/17 22:55, FUSTE Emmanuel wrote:
> Hello,
>
> I need to select a cache peer based on the user group.
> As cache_peer_access need a fast acl to have predicable result, I tried to
> - annotate transactions with "note"
> - match the annotation with a fast acl
> - use the acl in the cache_peer_access directive
>
> But I still got warning about slow acl in use where fast are required.
> I am missing something ?

The 'note' directive (different from the note ACL type) itself is a 
"fast" access control whose purpose is to add things into the log file. 
It only does its thing at the termination of a transaction right before 
logging.


What you are wanting is to alter the external_acl_type helper (or write 
a script wrapper for it that changes the output). Such that when Squid 
sends it a lookup it generates an response to Squid saying something 
like this:

  OK profil="$group_name"

(where $group_name, is the group which matched)


When that is working you can also vastly simplify your squid.conf by 
replacing all these:

   acl StandardUser external ldap_group ACCESINTERNET
   acl VIPUser external ldap_group ACCESCHARGEDECOM
   acl NoNetUser external ldap_group INITIAL

... with a single helper ACL test:
   acl group external ldap_group ACCESINTERNET ACCESCHARGEDECOM INITIAL

... which gets run only for authenticated users:
   http_access deny !AuthorizedUsers
   http_access allow group

... and use the note ACLs to do all your other access controls:
   acl StandardUser note profil ACCESINTERNET
   acl VIPUser note profil ACCESCHARGEDECOM
   acl NoNetUser note profil INITIAL



PS.
>
> maximum_object_size_in_memory 50 MB
> logformat squid [%tl] %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

FYI: please do not try to define that "squid" log format in squid.conf. 
Squid does not follow that instruction, and may do unexpected things as 
a result. The latest releases will refuse to start if squid.conf 
contains these.


Amos