[squid-users] cache_peer selection based on username
Amos Jeffries
squid3 at treenet.co.nz
Tue Jan 12 01:46:01 UTC 2021
On 11/01/21 8:06 am, roee klinger wrote:
> Thanks, Eliezer, I was able to get it working.
> Here is an example in case anybody runs into this in the future:
>
> acl mynote1 note mykey note1
> acl mynote2 note mykey note2
>
FYI, key names ending with "_" character are reserved for custom keys
like this.
> external_acl_type user_whitelist_external children-max=20 ttl=300
> %>lp %>a script.sh
NP: this does not check for users or authenticated traffic at all. It is
only using the client-IP and Squid receiving port number.
To meet the earlier stated requirement about authenticated traffic the
helper format should contain %un. The lines below should follow the
http_access rules doing authentication checks.
You could also have the helper doing authentication send the notes to
Squid. eg as a group name.
> acl whitelisted_users external user_whitelist_external
> http_access allow whitelisted_users
>
> nonhierarchical_direct off
> never_direct allow all
> cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1
> cache_peer_access proxy1 allow mynote1
> cache_peer_access proxy0.2 deny all
> cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2
> cache_peer_access proxy2 allow mynote2
> cache_peer_access proxy0.3 deny all
>
NP: there is no peer named "proxy0.2" or "proxy0.3" so those deny lines
are not doing anything. The only reason this config does what it appears
at first glance to do, is that the inverted default for the prox1 and
proxy2 peer access rules default is deny.
>
> Then, on the external helper, I return one of these two:
>
> OK mykey=note1
> OK mykey=note2
>
>
Amos
More information about the squid-users
mailing list