[squid-users] What happens when duplicate external_acl_type are mentioned
Amish
anon.amish at gmail.com
Sat Dec 1 14:17:28 UTC 2018
On 01/12/18 5:24 pm, Amos Jeffries wrote:
> On 2/12/18 12:15 am, Amish wrote:
>>
>> Thank you for your quick response.
>>
>> So if I pass %ul to external_acl_type, but dont use any auth_param,
>> squid dies with an error.
>>
>> "Can't use proxy auth because no authentication schemes are fully
>> configured"
>>
>> Is it possible for squid to not to die but instead warn and then just
>> pass "-" (dash) for %ul?
> The %ul code will generate an auth challenge exchange if no username is
> available. So the auth system must be setup with parameters to use in
> that challenge.
>
> Use %un for when username is optional.
>
With %un I have a problem.
I have referenced to external acl twice in my squid.conf.
Simplified setup:
external_acl_type ipuser queue-size=40 ttl=120 children-max=1
children-startup=1 concurrency=20 %>a %un /usr/lib/squid/ip_to_user
acl proxyuser external ipuser
http_access allow proxyuser restrictedports
http_access allow proxyuser restrictedsites
where some ports and some sites are allowed only for some users.
so when I try %un (with no auth param set), external acl helper gets
request two times.
First time with "-" and then again with username that external acl
helper itself replied with.
Squid sends: 1 127.0.0.1 - -
Helper reply: 1 OK user=local
Squid sends: 2 127.0.0.1 local -
(Dash at end is due to automatic addition of %DATA macro by squid)
1 was triggered by first http_access line and
2 was triggered by second http_access because %un is either %ul or %ue
(which is now known due to 1)
In my case, it becomes completely unnecessary and an additional processing.
That is why I was thinking of additional macro %uL (capital L)
Regards,
Amish.
More information about the squid-users
mailing list