[squid-users] Problem with 'delay_access' using acl external

Alex Rousskov rousskov at measurement-factory.com
Tue Sep 10 21:11:15 UTC 2024 

On 2024-09-10 13:54, Carlos André wrote:

> My "delay_class" simple DON'T with if I use a acl external (helper - 
> LDAP or winbind [ext_wbinfo_group_acl], same problem), delay_class work 
> ok using a acl proxy_auth or acl src.... but nothing with a external.

I believe your configuration is suffering from two semi-independent 
problems:


Problem A:

External ACLs are so called "slow" or "asynchronous" ACLs. They should 
not be used together with directives that do not support "slow" ACLs. It 
is not explicitly documented, but delay_access directive does _not_ 
support slow ACLs AFAICT. It only supports "fast" ACLs.

N.B. Due to ACL caching side effects, using slow ACLs with directives 
that do not support them may appear to "work" in certain cases, but it 
is not supported and should not be relied upon.


> I need to use external bcoz I use groups to specify Internet 
> speed/policy per user.

I recommend checking your Group_Internet ACL at http_access time instead 
of delay_access time; http_access directive supports slow ACLs and 
should be evaluated before delay_access is.

Use annotate_transaction or annotate_client ACLs to remember whether 
Group_Internet ACL has matched at http_access evaluation time. Use a 
"note" ACL to check whether those annotations have been set. The "note" 
ACL is a "fast" ACL. annotate_transaction documentation in 
squid.conf.documented has a relevant example. There are also potentially 
relevant examples in bug #4993 report (among others):
https://bugs.squid-cache.org/show_bug.cgi?id=4993


Problem B:

> 2024/09/10 14:30:28 kid1| WARNING: Group_Internet ACL is used in context 
> without an ALE state. Assuming mismatch.

I have not checked carefully, but this could be a bug fixed in v6. The 
corresponding commit says "delay_pool_access lacked ... details beyond 
src/dst addresses".

Upgrade to v6+. If you are still getting a similar runtime WARNING, then 
there is another Squid bug that needs to be fixed.


HTH,

Alex.


> Bellow there my sample squid.conf:
> ================================================================
> 
> acl SSL_ports port 443 6443 8443 8080 8008
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> http_port 8080
> 
> cache_dir ufs /var/spool/squid 8192 32 128
> 
> coredump_dir /var/spool/squid
> 
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k 
> /etc/squid/HTTP.keytab -s HTTP/SERVER at REALM.LAN
> auth_param negotiate children 20 startup=2 idle=2
> 
> external_acl_type AD ttl=360 children-startup=2 children-max=20 
> children-idle=2 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -Z -K -R -d 
> -h 192.168.0.10 -b "dc=realm,dc=lan" -D 
> "cn=squid,cn=Users,dc=realm,dc=lan" -w password1234 -f 
> "(&(cn=%u)(memberof=cn=%g,cn=Users,dc=realm,dc=lan))"
> 
> acl kerb-auth proxy_auth REQUIRED
> 
> acl Group_Internet external AD Internet_Access
> acl User proxy_auth carlos at REALM.LAN
> acl src_carlos_ip src 192.168.0.100
> 
> http_access allow Group_Internet # work!
> http_access deny all
> 
> 
> delay_pools 2
> delay_class 1 2
> delay_class 2 2
> 
> delay_parameters 1   4096000/4096000  2048000/2048000
> delay_parameters 2   2048000/2048000   512000/512000
> 
> delay_access 1 allow Group_Internet  # won't work (Squid ignore it and 
> pass to next delay_access)
> #delay_access 1 allow User           # work!
> #delay_access 1 allow src_carlos_ip  # work!
> delay_access 1 deny all
> 
> delay_access 2 allow all
> ###############################################################
> 
> #
> delay_access 1 allow Group_Internet  # won't work (Squid ignore it and 
> pass to next delay_access)
> #delay_access 1 allow User           # work!
> #delay_access 1 allow src_carlos_ip  # work!
> delay_access 1 deny all
> 
> #
> delay_access 2 allow all
> ================================================================
> 
> 
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list