Re: Is external_acl_type must under authentication mode?

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

NetSnake wrote:
> You means I need set http_access allow all first?
> I tried that, but still no effect.
> Dose anybody have a simplest and good squid.conf configuration file
> with external_acl_type and cache_peer_access?

No I mean:
 http_access deny ipaddress
or
 http_access allow ipaddress

or some such blocking access checks that _uses_ the ipaddress ACL before 
cache_peer_access gets it.

Amos

> thanks a lot.
>
>
> 2009/1/14 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
> > NetSnake wrote:
> > > Actually, I defined a cache_peer named host1 as this:
> > > cache_peer www.myhost.com parent 80 0 no-query no-digest originserver
> > > name=host1
> > >
> > > and I defined a ACL named ipaddress:
> > > acl ipaddress external checkip
> > >
> > > and then I defined the access rule, to deny access to hosts through my
> > > checkip script.
> > > cache_peer_access  host1 deny ipaddress
> > >
> > > And I found my script is already running after squid is up, and it can
> > > write data to the file.
> > > But it like squid just start up my script, and never call it when a
> > > connection arraived.
> > cache_peer_access is a fast-ACL check. It cannot wait for delayed actions
> > such as remote helpers to reply.
> >
> > It's also only checked after the request has been accepted.
> > You need to use your ACL in an http_access line first. Which will check it
> > early, and cache the result long enough for the peer checks to use.
> >
> > Amos
> >
> > > BTW, No SELinux running on my box.
> > >
> > > thanks.
> > >
> > > 2009/1/14 Chris Robertson <crobertson@xxxxxxx>:
> > > > NetSnake wrote:
> > > > > hi,all
> > > > > I want to use external_acl_type to distribute my user to different
> > > > > server, these user need NOT authentication.
> > > > > Squid start my application, but when I access to a special host, no
> > > > > data send to my program from Squid.
> > > > > my program is a very simple script, and when I use an existing
> > > > > application such as ip_user_check, still no actions.
> > > > > My squid configuration is:
> > > > > external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC
> > > > > /usr/local/squid/libexec/
> > > > > checkip.pl
> > > > > http_port 80 accel vhost vport
> > > > > cache_peer www.myhost.com parent 80 0 no-query no-digest originserver
> > > > > name=host1
> > > > > acl ipaddress external checkip
> > > > > cache_peer_access  www deny ipaddress
> > > > There is no cache_peer defined as "www".  There is one defined as
> > > > "www.myhost.com".  Perhaps that's a typo in the obfuscation of your
> > > > squid.conf.  Are you sure the checkip.pl script is runnable by the
> > > > squid_effective_user?  Does /tmp/squid.log exists?  If so, is it
> > > > writeable
> > > > by the squid_effective_user?  Are you running SELinux or AppArmor?
> > > >
> > > > > ...
> > > > >
> > > > > My program is very simple:
> > > > > cat checkip.pl
> > > > > #!/usr/bin/perl
> > > > > $| = 1;
> > > > > open(LOG, ">/tmp/squid.log");
> > > > > print LOG "RUNNING\n";
> > > > > close(LOG);
> > > > > while(defined($line = <STDIN>)){
> > > > >   print "OK\n";
> > > > >   open(LOG, ">>/tmp/squid.log");
> > > > >   print LOG "Got: $line\n";
> > > > >   close(LOG);
> > > > > }
> > > > >
> > > > >
> > > > > So, I think that, is external_acl_type must under authentication mode?
> > > > >
> > > > > thanks in advance.
> > > > Chris
> >
> > --
> > Please be using
> >  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
> >  Current Beta Squid 3.1.0.3


--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
  Current Beta Squid 3.1.0.3