[squid-users] Delay pools and external acl

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 17 03:38:03 UTC 2018


On 16/10/18 11:09 AM, Danilo V wrote:
> Hi all,
> 
> Has anyone succeeded applying delay pools on groups from AD?
> 
> I'm using squid 3.5.23 with basic_ldap_auth.
> I initially tried to combine mapping groups with external acl type
> (ext_ldap_group_acl) to delay pools. It's a trap :-(
> 

A trap?

For starters; "group" is an abstract concept buried in the depths of
authentication which has nothing to do with traffic. It is a purely
human scoping idea. Squid knows nothing of any "group".


The external ACL type which handles such complex non-traffic things is
clearly listed in the Squid FAQ (and the 'acl' directive documentation)
as being a "slow" / async ACL type.

Delay pools is also clearly listed as an access control which only works
with "fast" category ACL types.

<https://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>



> After doing more search I found about class 5 and note acl.
> Has anyone a pratical implementation in this scenario?

Yes several admin have done so. But with custom helpers that integrate
with the new annotation system, or the Kerberos helpers that have been
upgraded to integrate as well. Other helpers have not been updated yet.


Your external ACL just needs to supply Squid with a "tag=XX" or
"group=XX " annotation to label the transaction with whichever group
matches.

 # login is required to do group checking...
 acl login proxy_auth REQUIRED
 http_access deny !login


 # the decision to allow the traffic into the proxy does group checks
and adds annotations...

 external_acl_type group %LOGIN ...
 acl some_group external group XX

 http_access allow some_group_check


 # the decision of what pool(s) to apply has to work FAST - so uses the
annotations already present or not present) as its decider:

 acl groupXX note group XX

 # or for older Squid
 acl groupXX note tag XX

 delay_access N allow groupXX


Amos


More information about the squid-users mailing list