[squid-users] Display eCAP meta-information on Squid error-page
Alex Rousskov
rousskov at measurement-factory.com
Tue Jun 5 15:59:38 UTC 2018
On 06/05/2018 04:51 AM, Amos Jeffries wrote:
> The adaptor API purpose is to alter HTTP messages as they travel through
> the proxy, not to be a substitute for access control logic already
> available in the proxy.
This statement is incorrect for legitimate use cases where the required
access control logic is not supported by Squid internally. A typical
alternation-free example is content analysis (which Squid ACLs cannot
perform).
> So what your adaptor SHOULD be doing is simply
> producing the 403 Forbidden message itself.
Sometimes, that is the best solution indeed, but it may also be a bad
solution in some cases because it can be slower and because it
duplicates (or discards) a lot of advanced functionality already
implemented in Squid. The rule of thumb here is "If Squid can generate
the right blocking message, use Squid (instead of the adapter) to
generate the right blocking message".
> By using a header as described you are forcing Squid to:
> receive adapted message from eCAP
> re-parse that altered message,
> erase that altered message,
> generate a new denial (403) message, and
> deliver to client.
Adapter implementors are not "forced" to use the above sequence of
steps: The first three steps do not have to happen (they are optional).
An optimized adapter implementation that lets Squid generate the
blocking message is limited to the last two steps from your list:
generate a new denial (403) message, and
deliver to client.
> There is an "external ACL" interface provided for complex authorization
> logics to be offloaded to a helper process with more capabilities than
> the proxy. That should be used instead of eCAP/ICAP adaptors.
An adapter may be a better solution than the external ACL in some cases.
The actual decision logic here is roughly as follows:
* If built-in ACLs alone are sufficient, then
use just the built-in ACLs. They are usually simpler and faster.
* If an external ACL is sufficient and performance is not an issue, then
use an external ACL. It is a lot simpler to implement than an adapter.
* If the decision logic involves message body analysis, then
use an eCAP adapter or an ICAP service. Others do not get content.
* Otherwise, carefully evaluate external ACLs vs eCAP adapter choice
given your use case specifics. eCAP can be faster than an external
ACL or vice versa.
HTH,
Alex.
More information about the squid-users
mailing list