[squid-users] Delay pools and external acl
Alex Rousskov
rousskov at measurement-factory.com
Thu Oct 18 17:40:20 UTC 2018
On 10/18/2018 07:23 AM, Danilo V wrote:
> Please check where is my mistake.
>
> I implemented a custom external ACL
... but you are not _using_ that new "some_group" ACL. An ACL has no
effect unless it is actually used in some ACL-driven directive. You
probably want to add some_group to your http_access rules.
> http_port 3128
> auth_param basic program ...
> acl login proxy_auth REQUIRED
> http_access deny !login
> external_acl_type group ttl=360 ipv4 %LOGIN /ext_danilo_ldap_group.sh
> acl some_group external group Internet_Access
> acl groupInternet note group Internet_Access
> delay_pools 1
> delay_class 1 1
> delay_parameters 1 128000/128000
> delay_access 1 allow groupInternet
Alex.
> The external ACL type which handles such complex non-traffic things is
> clearly listed in the Squid FAQ (and the 'acl' directive documentation)
> as being a "slow" / async ACL type.
>
> Delay pools is also clearly listed as an access control which only works
> with "fast" category ACL types.
>
> <https://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs>
> Your external ACL just needs to supply Squid with a "tag=XX" or
> "group=XX " annotation to label the transaction with whichever group
> matches.
>
> # login is required to do group checking...
> acl login proxy_auth REQUIRED
> http_access deny !login
>
>
> # the decision to allow the traffic into the proxy does group checks
> and adds annotations...
>
> external_acl_type group %LOGIN ...
> acl some_group external group XX
>
> http_access allow some_group_check
>
>
> # the decision of what pool(s) to apply has to work FAST - so uses the
> annotations already present or not present) as its decider:
>
> acl groupXX note group XX
>
> # or for older Squid
> acl groupXX note tag XX
>
> delay_access N allow groupXX
>
>
> Amos
More information about the squid-users
mailing list