[squid-users] External ACL

Amos Jeffries squid3 at treenet.co.nz
Tue May 23 05:00:16 UTC 2017


On 23/05/17 13:25, avi_h wrote:
> Hi,
>
> I'm currently using the DB authentication (squid_db_auth).
> This works flawlessly, however I have a need to enable authentication by a
> list of IPs.

What do you mean by that exactly?

> I tried using a simple ACL, but it's not dynamic so that doesn't answer my
> need.
> So I'm trying to create an external ACL.
> For some reason the external ACL isn't working.
> In order to check this, I commented out all the configs of squid_db_auth.
> Please see the configurations below:
>
> external_acl_type ip_checker children-max=20 %SRC
> /usr/lib64/squid/ip_checker.sh
> acl allowed_ips external ip_checker
>
> http_access allow allowed_ips
>
> cat /usr/lib64/squid/ip_checker.sh
>
> #!/bin/bash
>
> while read ip
> do
>    if ! grep -w "$ip" /etc/squid/allowed_ips.txt ; then
>      echo "ERR"
>    else echo "OK"
>    fi
> done
>
> cat /etc/squid/allowed_ips.txt
> 192.168.1.1
>
> The error message I'm getting:
>
> 2017/05/23 01:33:09.160 kid1| 82,2| external_acl.cc(786) aclMatchExternal:
> ip_checker("192.168.1.1") = lookup needed
> 2017/05/23 01:33:09.160 kid1| WARNING: external ACL 'ip_checker' queue
> overload. Request rejected '192.168.1.1'.

For some reason your helper is not coping with the amount of traffic 
going through your Squid, even with 20 processes running.

I don't see anything particularly wrong with the script logic, maybe 
just the inefficiency of using bash and grep?
  or perhapse how you are designing the http_access sequence? order 
matters a lot.


Amos



More information about the squid-users mailing list