[squid-users] annotation and fast / slow acl
FUSTE Emmanuel
emmanuel.fuste at thalesgroup.com
Wed Jun 21 16:51:11 UTC 2017
Hello,
One more question to be sure to understand some details:
> Le 20/06/2017 à 14:46, Amos Jeffries a écrit :
>> On 20/06/17 22:55, FUSTE Emmanuel wrote:
>>> Hello,
>>>
>>> I need to select a cache peer based on the user group.
>>> As cache_peer_access need a fast acl to have predicable result, I tried to
>>> - annotate transactions with "note"
>>> - match the annotation with a fast acl
>>> - use the acl in the cache_peer_access directive
>>>
>>> But I still got warning about slow acl in use where fast are required.
>>> I am missing something ?
>> The 'note' directive (different from the note ACL type) itself is a
>> "fast" access control whose purpose is to add things into the log file.
>> It only does its thing at the termination of a transaction right before
>> logging.
>>
>>
>> What you are wanting is to alter the external_acl_type helper (or write
>> a script wrapper for it that changes the output). Such that when Squid
>> sends it a lookup it generates an response to Squid saying something
>> like this:
>>
>> OK profil="$group_name"
>>
>> (where $group_name, is the group which matched)
>>
>>
>> When that is working you can also vastly simplify your squid.conf by
>> replacing all these:
>>
>> acl StandardUser external ldap_group ACCESINTERNET
>> acl VIPUser external ldap_group ACCESCHARGEDECOM
>> acl NoNetUser external ldap_group INITIAL
>>
>> ... with a single helper ACL test:
>> acl group external ldap_group ACCESINTERNET ACCESCHARGEDECOM INITIAL
>>
>> ... which gets run only for authenticated users:
>> http_access deny !AuthorizedUsers
>> http_access allow group
>>
>> ... and use the note ACLs to do all your other access controls:
>> acl StandardUser note profil ACCESINTERNET
>> acl VIPUser note profil ACCESCHARGEDECOM
>> acl NoNetUser note profil INITIAL
So arbitrary k- v pair not used by the acl helper protocol could be
matched against with the note acl ?
How it relate to the defined/reserved tag= and clt_conn_tag= keywords of
the acl helper protocol ?
The helper is modified to return profil="$group_name" when the group
match. It work.
Will test it on a squid instance with note acl tomorrow.
Emmanuel.
More information about the squid-users
mailing list