Chris Dillon wrote:
I'm trying to implement an external ACL helper than does an ip address
to username lookup, but I'm having trouble with squid using an
external ACL helper in general. I'm running Squid 2.7.5 on FreeBSD
7.1. To rule out my custom written helper program as the culprit, I
created a basic external helper in perl that just looks like this:
You are not flushing STDOUT.
#!/usr/bin/perl
# Flush STDOUT
$|=1;
while(<STDIN>) {
print STDOUT "OK\n";
}
I've simplified my previously complex squid.conf to the point where
there is very little left that is not commented out. The relevant
bits of squid.conf look like this:
external_acl_type IP-LOOKUP %SRC /usr/local/etc/squid/always-ok.pl
acl IP-TO-USER external IP-LOOKUP
acl WIRELESS-GUEST-NET src 10.15.5.0/255.255.255.0
http_access allow WIRELESS-GUEST-NET IP-TO-USER
http_reply_access allow WIRELESS-GUEST-NET IP-TO-USER
http_reply_access allow all
debug_options ALL,1 28,9 29,9 33,9 58,9 82,9
If I remove the "IP-TO-USER" acl from http_access and
http_reply_access then everything works. As soon as I add
"IP-TO-USER" to http_access, Squid will not send a reply back to the
client (verified with tcpdump on the server side and Wireshark on the
client side), nothing shows up in access.log, nothing shows up in
cache.log (without debugging turned on, but I get plenty of ACL
lookups with the debug_options line I have above). The client
eventually times out. I have also tried with and without the external
acl in "http_reply_access" based on other threads I have read on this
mailing list.
Here are the lines from cache.log regarding the external ACL when a
request is made using the above debug_options:
2009/02/10 16:05:30| aclCheck: checking 'http_access allow
WIRELESS-GUEST-NET IP-TO-USER'
2009/02/10 16:05:30| aclMatchAclList: checking WIRELESS-GUEST-NET
2009/02/10 16:05:30| aclMatchAcl: checking 'acl WIRELESS-GUEST-NET
src 10.15.5.0/255.255.255.0'
2009/02/10 16:05:30| aclMatchIp: '10.15.5.199' found
2009/02/10 16:05:30| aclMatchAclList: checking IP-TO-USER
2009/02/10 16:05:30| aclMatchAcl: checking 'acl IP-TO-USER external
IP-LOOKUP'
2009/02/10 16:05:30| aclMatchExternal: acl="IP-LOOKUP"
2009/02/10 16:05:30| aclMatchExternal: IP-LOOKUP("10.15.5.199") =
lookup needed
Translation: "We don't have a cached answer for the query 10.15.5.199,
so we'll have to ask the external helper.
2009/02/10 16:05:30| aclMatchAclList: no match, returning 0
Translation: "No match (in the cache), returning 0".
2009/02/10 16:05:30| externalAclLookup: lookup in 'IP-LOOKUP' for
'10.15.5.199'
Translation: "Asking the external helper for an answer to the question
10.15.5.199".
And there the log stops. Squid is left waiting for an answer that is
stuck in the Perl line buffer.
Why is it returning "no match" when the external ACL helper always
returns "OK"?
Because the helper is not returning "OK". :o)
Chris
