[squid-users] Problem with 'delay_access' using acl external

Carlos André candrecn at gmail.com
Tue Sep 10 17:54:44 UTC 2024 

Hi ppl!

I'm getting an annoying problem with Squid 5.5 (work ok on old Squid 2.6)

My "delay_class" simple DON'T with if I use a acl external (helper - LDAP
or winbind [ext_wbinfo_group_acl], same problem), delay_class work ok using
a acl proxy_auth or acl src.... but nothing with a external.

I need to use external bcoz I use groups to specify Internet speed/policy
per user.

All I get on cache.log it's this WARNING (Googled this one but don't find
nothing helpful):
================================================================
2024/09/10 14:30:28 kid1| WARNING: Group_Internet ACL is used in context
without an ALE state. Assuming mismatch.
    current master transaction: master62
================================================================

Anyone can give me a hand on this one??
Thanks a lot!!!
Carlos



Bellow there my sample squid.conf:
================================================================

acl SSL_ports port 443 6443 8443 8080 8008
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

http_port 8080

cache_dir ufs /var/spool/squid 8192 32 128

coredump_dir /var/spool/squid

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
/etc/squid/HTTP.keytab -s HTTP/SERVER at REALM.LAN
auth_param negotiate children 20 startup=2 idle=2

external_acl_type AD ttl=360 children-startup=2 children-max=20
children-idle=2 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -Z -K -R -d -h
192.168.0.10 -b "dc=realm,dc=lan" -D "cn=squid,cn=Users,dc=realm,dc=lan" -w
password1234 -f "(&(cn=%u)(memberof=cn=%g,cn=Users,dc=realm,dc=lan))"

acl kerb-auth proxy_auth REQUIRED

acl Group_Internet external AD Internet_Access
acl User proxy_auth carlos at REALM.LAN
acl src_carlos_ip src 192.168.0.100

http_access allow Group_Internet # work!
http_access deny all


delay_pools 2
delay_class 1 2
delay_class 2 2

delay_parameters 1   4096000/4096000  2048000/2048000
delay_parameters 2   2048000/2048000   512000/512000

delay_access 1 allow Group_Internet  # won't work (Squid ignore it and pass
to next delay_access)
#delay_access 1 allow User           # work!
#delay_access 1 allow src_carlos_ip  # work!
delay_access 1 deny all

delay_access 2 allow all
###############################################################

#
delay_access 1 allow Group_Internet  # won't work (Squid ignore it and pass
to next delay_access)
#delay_access 1 allow User           # work!
#delay_access 1 allow src_carlos_ip  # work!
delay_access 1 deny all

#
delay_access 2 allow all
================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240910/409615fd/attachment.htm>

More information about the squid-users mailing list