Tucker Cunningham wrote:
Thanks for the reply, Amos. I'm on version 3.0.STABLE13. If I use the
external acl with http_access, I've dumped the input to the helper
program and seen that the cert info is being correctly passed in. The
problem only seems to occur when using the external acl in conjunction
with request_header_access. Does that sound like a manifestation of
the same bug? The patch looks like it mostly addresses config file
parsing, which seems to be working for me.
Again, thanks for your help. I'm relatively new to working with squid,
so just figuring out a lot of this stuff. One thing that may or may not
be important is that I'm running an 'accel' server, not a conventional
proxy. Not sure if it's important, but I guess some things work
differently in this configuration.
I've found http_header_access is a "Fast" ACL type (result-or-fail).
external acl is a "Slow" type (result-or-lookup).
You will have to use the external ACL in one of the earlier access
controls that it works for and cache the result for use.
Amos
-tucker
Amos Jeffries wrote:
> hello all -
> I've run into some trouble using the request_header_access directive
> with an external acl. A snippet of my config file is below:
>
> -----
> external_acl_type check_clientcert children=1 concurrency=0 ttl=3
> negative_ttl=3 %USER_CERT_CN /etc/squid3/helper.pl
> acl matches-clienttest-cert-name external check_clientcert
> clienttest-cert-name
>
> #http_access allow matches-clienttest-cert-name
> #http_access deny all
> request_header_access User-Agent deny matches-clienttest-cert-name
> ------
>
> If i uncomment the http_access lines, i am only granted access if i
> present the correct client certificate, so the external acl seems to be
> configured correctly. I also see lines like
>
> -----
> 2009/03/11 14:12:54.243| helperDispatch: Request sent to
> check_clientcert #1, 14 bytes
> 2009/03/11 14:12:54.243| helperSubmit: - clienttest-cert-name
> -----
>
> in the output of squid -X. However, when I run squid with the config
> file above, the User-Agent header is not removed, and I see no
> "helperDispatch" or "helperSubmit" in the log output. Can anyone shed
> some light on why external acls may not be invoked this way?
>
>
> Taking a step back, my larger goal is to run an https accelerator which
> accepts client-certificate authenticated requests and passes
information
> about the client cert to the origin server. My idea right now is to
put
> the client certificate CN into the User-Agent header, but if anyone has
> a better idea, my current solution seems pretty hacked together.
Thanks
> for your help.
>
> -tucker cunningham
>
What version of Squid?
3.x has a small glitch parsing of CERT info.
http://www.squid-cache.org/Versions/v3/3.1/changesets/b9429.patch
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6