[squid-users] Best practice for adding or removing ACLs dynamically ?

Amos Jeffries squid3 at treenet.co.nz
Sat Oct 31 15:40:17 UTC 2020 

On 31/10/20 1:34 pm, roee klinger wrote:
> 
> Hey,
> I have Squid configured to send users to different outgoing interface like so:
> 
> ..
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpassword
> acl acl_for_user3002 proxy_auth user2
> tcp_outgoing_address 192.168.8.12 acl_for_user3002
> http_port 3002 name=3002


No need to name a *_port like this. The default name is the first 
parameter string ("3002" on this line).


> http_access allow authenticated
> ..
> 
> When I wanted to change the username:password for user2, I run a bash script to change it in squid.conf and also in htpassword and then I run "squid -k reconfigure", if I don't reconfigure the old user still has access to the proxy and the new one doesn't for about 30 minutes.
> 

No need to restart for that change. The helper you have there will 
automatically detect changes to the htpassword file and reload it.

It is a little odd that the new user was not able to authenticate. Check 
that your test did not lookup and cache a non-existence result for them 
prior to being added.


The delay is due to the credentials being valid for a period of time. To 
reduce workload on the auth system Squid caches credential details for a 
while.

Set "auth_param basic credentialsttl " to shorter values to reduce the 
delay (default is 2hrs).


> I am expecting to have 100s of users soon that will change credentials often, and also I would like to blacklist websites often and on the fly, so I was searching for a better way to manage this without reconfiguring every time, since sometimes a reconfigure can take up to 10-15 seconds.
> 

This helper does not need a reconfigure at all as far as I can tell from 
the code.

All the reconfigure was doing for you previously was triggering an early 
prune of the records in the credentials cache. Probably why you saw 
about 30min delay instead of about 2hrs.


> I am new to Squid and wasn't able to find any info on this, am I doing this currently or there is a better way to change users/ACLs on the fly without reloading Squid?
> 

Config changes in squid.conf itself needs a reconfigure or sometimes a 
restart.


For auth and ACLs whose values that come into Squid from a helper it 
depends on the helper itself. Most can auto-detect changes to their 
background databases and not need anything from Squid to update the 
outputs. All helpers do have some form of caching of their results by 
Squid, so there are settings in squid.conf to tune that to your needs - 
as you can see from the auth issue above.


For ACLs with values that are expected to change often it is best to use 
an external_acl_type helper that manages the updates or fetches from 
somewhere the updates are handled without a reload.



Amos

More information about the squid-users mailing list