[squid-users] Define and use a variable in squid.conf (Was: What happens when duplicate external_acl_type are mentioned)

Amos Jeffries squid3 at treenet.co.nz
Sun Dec 2 13:15:42 UTC 2018 

On 3/12/18 12:41 am, Amish wrote:
> 
> 
> On 02/12/18 3:20 pm, Amos Jeffries wrote:
>> On 2/12/18 5:31 pm, Amish wrote:
>>> On 02/12/18 9:33 am, Alex Rousskov wrote:
>>>> To reduce long-term headaches, I think we should be strict and
>>>> deprecate
>>>> (and then prohibit) ignoring duplicated external_acl_type declarations.
>>>>
>>>> I do not see any good reasons for ignoring this configuration error
>>>> forever. FWIW, the use case discussed in this thread is not a good
>>>> reason IMO because Squid configuration in question can and should be
>>>> easily generated (probably from a stable template) to correctly
>>>> accommodate the needs of the current authentication method.
>>>>
>>> Thank you for your clarification.
>>>
>>> Now I am looking for alternate ways I can resolve my issue.
>>>
>> What is wrong with %un that makes it unusable?
>>
>> It will contain username when Squid has been told a username and '-'
>> when none is known.
> 
> I believe you missed my reply. Here is the archive link to it:
> 
> http://lists.squid-cache.org/pipermail/squid-users/2018-December/019759.html
> 

Ah, yes it has not arrived here for some reason.


There are actually _up to four_ helper checks being done when %ul is
used. Performance optimizations in Squid were/are preventing them being
very visible for Basic auth type and external ACL. But the helper state
is still being checked and if any of the cache TTLs end the check may
fall through to do a full helper query.
 * Each test of the proxyuser ACL involves a check of the external
helper cache.
  - If there was no cached result with that exact pattern a fully query
is sent.
 * Each test of the cache for an external helper using %ul (aka. %LOGIN)
requires a check of the auth_param helper cache (if any).
  - If there was no cached result with that exact pattern OR if the auth
scheme does not cache results, a fully query is sent to the auth_param
helper.

With your config and %ul:

 - (1) the auth_param helper is asked to login the client and provide a
username

 then:
  - (2A) the external ACL helper is asked if "user=X" username is okay
 OR:
  - (2B) the external ACL helper is asked if "-" username is okay

 then:
  - (3) the auth_param helper is asked to login the client and provide a
username

 then:
  - (4A) the external ACL helper is asked if "user=X" username is okay
 OR:
  - (4B) the external ACL helper is asked if "-" username is okay



With your config and %un:

 - (1) the external ACL helper is asked if "-" username is okay,

 then:
  - (2A) the external ACL helper is asked if "user=X" username is okay
  OR:
  - (2B) the external ACL helper is asked if "-" username is okay


For optimal performance (under either setup) you need to restructure
these lines:
  http_access allow proxyuser restrictedports
  http_access allow proxyuser restrictedsites

such that the helper is not being used multiple times:

  http_access deny !proxyuser
  http_access allow restrictedports
  http_access allow restrictedsites

Or,
  acl restrictedPlaces anyof restrictedports restrictedsites
  http_access allow proxyuser restrictedPlaces

Amos

More information about the squid-users mailing list