Re: Is external_acl_type must under authentication mode?

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

NetSnake wrote:
> Actually, I defined a cache_peer named host1 as this:
> cache_peer www.myhost.com parent 80 0 no-query no-digest originserver name=host1
>
> and I defined a ACL named ipaddress:
> acl ipaddress external checkip
>
> and then I defined the access rule, to deny access to hosts through my
> checkip script.
> cache_peer_access  host1 deny ipaddress
>
> And I found my script is already running after squid is up, and it can
> write data to the file.
> But it like squid just start up my script, and never call it when a
> connection arraived.

cache_peer_access is a fast-ACL check. It cannot wait for delayed 
actions such as remote helpers to reply.

It's also only checked after the request has been accepted.
You need to use your ACL in an http_access line first. Which will check 
it early, and cache the result long enough for the peer checks to use.

Amos

> BTW, No SELinux running on my box.
>
> thanks.
>
> 2009/1/14 Chris Robertson <crobertson@xxxxxxx>:
> > NetSnake wrote:
> > > hi,all
> > > I want to use external_acl_type to distribute my user to different
> > > server, these user need NOT authentication.
> > > Squid start my application, but when I access to a special host, no
> > > data send to my program from Squid.
> > > my program is a very simple script, and when I use an existing
> > > application such as ip_user_check, still no actions.
> > > My squid configuration is:
> > > external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC
> > > /usr/local/squid/libexec/
> > > checkip.pl
> > > http_port 80 accel vhost vport
> > > cache_peer www.myhost.com parent 80 0 no-query no-digest originserver
> > > name=host1
> > > acl ipaddress external checkip
> > > cache_peer_access  www deny ipaddress
> > There is no cache_peer defined as "www".  There is one defined as
> > "www.myhost.com".  Perhaps that's a typo in the obfuscation of your
> > squid.conf.  Are you sure the checkip.pl script is runnable by the
> > squid_effective_user?  Does /tmp/squid.log exists?  If so, is it writeable
> > by the squid_effective_user?  Are you running SELinux or AppArmor?
> >
> > > ...
> > >
> > > My program is very simple:
> > > cat checkip.pl
> > > #!/usr/bin/perl
> > > $| = 1;
> > > open(LOG, ">/tmp/squid.log");
> > > print LOG "RUNNING\n";
> > > close(LOG);
> > > while(defined($line = <STDIN>)){
> > >    print "OK\n";
> > >    open(LOG, ">>/tmp/squid.log");
> > >    print LOG "Got: $line\n";
> > >    close(LOG);
> > > }
> > >
> > >
> > > So, I think that, is external_acl_type must under authentication mode?
> > >
> > > thanks in advance.
> > Chris


--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3