Search squid archive

Re: request_header_access and external acl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tucker Cunningham wrote:
Thanks for the reply, Amos. I'm on version 3.0.STABLE13. If I use the external acl with http_access, I've dumped the input to the helper program and seen that the cert info is being correctly passed in. The problem only seems to occur when using the external acl in conjunction with request_header_access. Does that sound like a manifestation of the same bug? The patch looks like it mostly addresses config file parsing, which seems to be working for me. Again, thanks for your help. I'm relatively new to working with squid, so just figuring out a lot of this stuff. One thing that may or may not be important is that I'm running an 'accel' server, not a conventional proxy. Not sure if it's important, but I guess some things work differently in this configuration.

I've found http_header_access is a "Fast" ACL type (result-or-fail). external acl is a "Slow" type (result-or-lookup).

You will have to use the external ACL in one of the earlier access controls that it works for and cache the result for use.

Amos


-tucker

Amos Jeffries wrote:

> hello all -
>   I've run into some trouble using the request_header_access directive
> with an external acl.  A snippet of my config file is below:
>
> -----
> external_acl_type check_clientcert children=1 concurrency=0 ttl=3
> negative_ttl=3 %USER_CERT_CN /etc/squid3/helper.pl
> acl matches-clienttest-cert-name external check_clientcert
> clienttest-cert-name
>
> #http_access allow matches-clienttest-cert-name
> #http_access deny all
> request_header_access User-Agent deny matches-clienttest-cert-name
> ------
>
> If i uncomment the http_access lines, i am only granted access if i
> present the correct client certificate, so the external acl seems to be
> configured correctly.  I also see lines like
>
> -----
> 2009/03/11 14:12:54.243| helperDispatch: Request sent to
> check_clientcert #1, 14 bytes
> 2009/03/11 14:12:54.243| helperSubmit: - clienttest-cert-name
> -----
>
> in the output of squid -X.  However, when I run squid with the config
> file above, the User-Agent header is not removed, and I see no
> "helperDispatch" or "helperSubmit" in the log output.  Can anyone shed
> some light on why external acls may not be invoked this way?
>
>
> Taking a step back, my larger goal is to run an https accelerator which
> accepts client-certificate authenticated requests and passes information > about the client cert to the origin server. My idea right now is to put
> the client certificate CN into the User-Agent header, but if anyone has
> a better idea, my current solution seems pretty hacked together. Thanks
> for your help.
>
> -tucker cunningham
>

What version of Squid?

3.x has a small glitch parsing of CERT info.

http://www.squid-cache.org/Versions/v3/3.1/changesets/b9429.patch



Amos




--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.6

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux