[squid-users] Fwd: cache_peer_access by dynamic ACL
Alex Rousskov
rousskov at measurement-factory.com
Wed Apr 26 13:34:38 UTC 2023
On 4/26/23 08:08, Alexeyяр Gruzdov wrote:
> Oh... Looks like I just need to send as answer the list of my policy
> acl, for example
>
> user1 wanted to go over peer1 and peer3
> the answer from external script must be like "OK proxy=peer1
> proxy=peer3" and looks like it works well like I need. User will go
> over peer1 and peer3 only by round-robin.
Instead of sending N same-name annotations to Squid, please try sending
one annotation with a coma-separated list of N values:
proxy=peer1,peer3,peer4
Rationale: Even if your current N-annotation setup "works", it is
essentially relying on undefined and/or questionable behavior that may
change. Using N-value annotations, you are avoiding that problem.
The "note" ACL has -m option that tells Squid to interpret the
annotation value as a list:
acl cleared_for_peer1 note -m proxy peer1
acl cleared_for_peer2 note -m proxy peer2
...
And, again, avoid using "proxy" as the annotation name: That name is
currently reserved for Squid own use. Use "proxy_" or any other name
ending with an underscore character. IMO, we should change the
policy/code to be more admin-friendly, but that change may not happen
for a long time, and modern Squids will warn you about reserved names
like "proxy":
https://github.com/squid-cache/squid/commit/27c36771bf145c2f8ca1efab6743b9e087867ab5
HTH,
Alex.
> ср, 26 апр. 2023 г. в 15:40, Alexeyяр Gruzdov:
>
> Hello!
> Yes!
> Thank you!
>
>
> One more question pls:
>
> For example I have five of cache_peers and ACL associated with some
> cache peer.
> As you know - I used the my external ACL script and now I can put
> the policy to answer fo my script and squid will get an answer and
> used the correct ACL for username.
> For example answer is "OK proxy=peer1" and user will be used the
> cache_peer1, or if "OK proxy=all" and user will go over all of
> cache_peers by round-robin.
> All works well.
> But how I can put something like a list of ACL for user ? for
> example I want that some one user can go over peer1 and peer3 only,
> by round robin, but will be denied over peer2. peer4, peer5. Of
> course better using external ACL (as DB ). What do you think?
>
>
>
>
>
>
> пн, 24 апр. 2023 г. в 18:07, Alex Rousskov
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>>:
>
> On 4/23/23 14:28, Alexeyяр Gruzdov wrote:
>
> > One more may be last thing: - I found the strange behavior
> - if I make
> > changes at my ext ACL script (its python ) and then "squid -k
> > reconfigure" then I can see that my script appears in the
> "TOP" of
> > process and loads CPU to 100%
>
> Check how your ACL script reacts to stdin closure/EOF. The
> script should
> quit but probably does not. Same for any stdin reading errors.
> On EOF,
> the script should use exit code zero. All these things are easy
> to test
> on the command line (without Squid).
>
> Alex.
>
> > вс, 23 апр. 2023 г. в 16:36, Amos Jeffries
> <squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>
> > <mailto:squid3 at treenet.co.nz <mailto:squid3 at treenet.co.nz>>>:
> >
> > On 23/04/2023 5:27 pm, Alexeyяр Gruzdov wrote:
> > > Hello Guys!
> > > Thank you very much! For now all works like I needed!
> > >
> > > But I have an one more questions about how I could to
> use the
> > kv-pair:
> > ...
> > > and then ACL with “note proxy all “
> > > But how the kv-pair must to be looked for this my tag ?
> > >
> > > I have tried to get answer from my ext script like
> > > “OK”
> > > “proxy=all”
> > >
> > > But looks like it’s not correct
> > >
> >
> > This part of the instructions were missed:
> >
> https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>
> >
> <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>>
> > "
> > For every line sent by Squid exactly one line is expected
> back. Some
> > script language such as perl and python need to be
> careful about the
> > number of newlines in their output.
> > "
> >
> > If your helper received something like this (with concurrency
> > channel-id
> > "1"):
> >
> > "1 bob 192.0.2.1"
> >
> > It should produce a line like:
> > "1 OK proxy=all"
> >
> > If no concurrency channel-id is received, then output is
> the same but
> > without sending channel-id back and MUST be sent in same
> order as
> > received.
> >
> > I do recommend using concurrency. It can help further
> debug issues with
> > helpers responding incorrectly.
> >
> > HTH
> > Amos
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > <mailto:squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>>
> > http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
> > <http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>>
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> > http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> http://lists.squid-cache.org/listinfo/squid-users
> <http://lists.squid-cache.org/listinfo/squid-users>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list