[squid-users] squid 5.1: external_acl_type: Get public remote address
Amos Jeffries
squid3 at treenet.co.nz
Thu Sep 16 14:21:51 UTC 2021
On 16/09/21 10:09 pm, David Touzeau wrote:
> Hi comunity, Squid fans
>
> I would like to use an external acl process for Geoip processing
>
> i have tried to setup squid to send the remote peer address using %<a
> code but it always reply with a "-"
>
> external_acl_type MyGeopip ttl=3600 negative_ttl=3600 children-startup=2
> children-idle=2 children-max=20 concurrency=1 ipv4 %un %SRC %SRCEUI48
> %>ha{X-Forwarded-For} %DST %ssl::>sni %USER_CERT_CN %note %<a
> /lib/squid3/squid-geoip
>
> acl MyGeopip_acl external MyGeopip
> http_access deny !MyGeopip_acl
>
> I was thinking that Squid call the helper before resolving the remote route.
>
The problem is there is no server/peer connection at all for a
transaction that has only been received and not yet processed by Squid.
> So to force it, i have added a "fake" acl to force Squid to calculate
> the remote address.
>
> acl fake_dst dst 127.0.0.2
> http_access deny !fake_dst !MyGeopip_acl
>
> But it failed too, the external_acl still receive the "-" instead of the
> remote public IP address of the server
>
Aye. There is still no server.
All this dst ACL changed was that Squid knows a group of IPs it *might*
select from. The decision whether to use one of them (or somewhere
entirely different) has not yet been made, so there is still no server.
The "%<a" displays the "last server or peer connection". It can change
when automated retries are done, and is "-" at all points before any
server contact.
Amos
More information about the squid-users
mailing list