> hello all - > I've run into some trouble using the request_header_access directive > with an external acl. A snippet of my config file is below: > > ----- > external_acl_type check_clientcert children=1 concurrency=0 ttl=3 > negative_ttl=3 %USER_CERT_CN /etc/squid3/helper.pl > acl matches-clienttest-cert-name external check_clientcert > clienttest-cert-name > > #http_access allow matches-clienttest-cert-name > #http_access deny all > request_header_access User-Agent deny matches-clienttest-cert-name > ------ > > If i uncomment the http_access lines, i am only granted access if i > present the correct client certificate, so the external acl seems to be > configured correctly. I also see lines like > > ----- > 2009/03/11 14:12:54.243| helperDispatch: Request sent to > check_clientcert #1, 14 bytes > 2009/03/11 14:12:54.243| helperSubmit: - clienttest-cert-name > ----- > > in the output of squid -X. However, when I run squid with the config > file above, the User-Agent header is not removed, and I see no > "helperDispatch" or "helperSubmit" in the log output. Can anyone shed > some light on why external acls may not be invoked this way? > > > Taking a step back, my larger goal is to run an https accelerator which > accepts client-certificate authenticated requests and passes information > about the client cert to the origin server. My idea right now is to put > the client certificate CN into the User-Agent header, but if anyone has > a better idea, my current solution seems pretty hacked together. Thanks > for your help. > > -tucker cunningham > What version of Squid? 3.x has a small glitch parsing of CERT info. http://www.squid-cache.org/Versions/v3/3.1/changesets/b9429.patch Amos
