Sorry List,
Resending without HTML.
Louis Gonzales wrote:
Dist,
Squid Version: 2.6.STABLE13
OS: Solaris 10
Compiled With:
configure options: '--prefix=/usr/local' '--enable-mempool-debug'
'--enable-xmalloc-statistics' '--enable-devpoll'
'--enable-storeio=ufs aufs' '--enable-icmp' '--enable-delay-pools'
'--enable-useragent-log' '--enable-referer-log' '--enable-ssl'
'--disable-http-violations' '--enable-large-cache-files'
'--enable-follow-x-forwarded-for' '--enable-auth=basic'
'--enable-basic-auth-helpers=LDAP'
'--enable-external-acl-helpers=ip_user ldap_group' '--with-pthreads'
'--with-aio' 'CC=/usr/sfw/bin/gcc'
Integrations:
OpenLDAP: 2.3.35
Custom:
External Helper PERL program call: external_acl_type eXhelperI
children=20 %LOGIN %{HOST} /usr/local/etc/squid/eXhelperI.pl
Question(on External Helper EH):
The PERL EH connects to a postgresql database, and checks the
LOGIN(user ID, like 'linuxlouis') and requested HOST(or internet
domain, like www.yahoo.com), if the LOGIN/HOST tuple exist in the
database, the EH returns "OK\n" - permit site - IF, they do not exist
in the database, the EH returns "ERR\n" - deny site.
When the webpage is fetched, usually it contains AD's or images that
are not served from the HOST( like www.yahoo.com, has
http//www.notyahoo.com/*.jpg files ) links as HREF tags in the main
www.yahoo.com page. The result is that even though www.yahoo.com for
LOGIN(linuxlouis) returns "OK\n" these extraneous sources of
images/ad's etc, essentially get caught by Squid, due to the fact that
probably the LOGIN/HOST(linuxlouis/www.notyahoo.com/some/image.jpg)
will return ERR, because for linuxlouis, maybe we don't have
www.notyahoo.com as a permissible site. Squid's behavior is for every
HREF/URL embedded in the HTML content at a given site, Squid passes
these also the EH to verify and rightly so...
"The question" is there a way to permit all of these additional
extraneous sources of images/ad's, as in, is there a way to tell
squid, "check the external helper for the LOGIN/HOST(website), if
permitted 'allow all content too?' Or perhaps, should I consider
rather using a custom redirector?
Any ideas would be great... thanks everyone!
