[squid-users] Tagged ACLs?

Alex Rousskov rousskov at measurement-factory.com
Mon May 22 14:48:44 UTC 2017


On 05/22/2017 05:56 AM, Ralf Hildebrandt wrote:
> * Alex Rousskov <rousskov at measurement-factory.com>:
>> On 05/20/2017 10:07 AM, Ralf Hildebrandt wrote:
>>> we want to create statistics on how many
>>> clients were "caught" trying to access blocked sites.
>>>
>>> Currently, we're grepping the log for TCP_DENIED in conjunction with the
>>> patterns from the ACLs. [...]  
>>> Is there any way around this? Like "tagging" rejects or logging the
>>> ACL that caused the rejection?

>> Yes, append an annotate_transaction ACL with a distinct annotation value
>> to each distinct http_access rule. If you have many such rules, this
>> should be automated, of course.
>>
>> Log the added annotation using %note logformat code.

> How would I add this to this exemplary ACL?

> acl zeustrackerdomain dstdomain "/etc/squid3/generated-zeus-domainblocklist.acl"
> http_access deny zeustrackerdomain

You do not add this to an ACL. You add this to an http_access rule:

   acl markZeustrackerdomain annotate_transaction
accessRule=zeustrackerdomain
   acl markFoobar annotate_transaction accessRule=foobar
   ...

   http_access deny zeustrackerdomain markZeustrackerdomain
   http_access allow foo bar markFoobar
   ...

   logformat ... accessRule=%{accessRule}note ...


> deny_info   http://proxy.charite.de/zeusdomain/ zeustrackerdomain

The above deny_info would have to be adjusted to stay in sync:

  deny_info http://proxy.charite.de/zeusdomain/ markZeustrackerdomain


HTH,

Alex.



More information about the squid-users mailing list