On 22/12/10 12:44, Nils Hügelmann wrote:
Hi all,
i have the following setup: [irrelevant parts left out]
auth_param basic [...]
external_acl_type premium children-startup=1 %LOGIN [...]
acl premiumacl external premium
acl authenticated proxy_auth REQUIRED
#http_access allow premiumacl
http_access allow authenticated
http_access deny all
delay_pools 2
delay_class 1 4
delay_class 2 4
delay_parameters 1 -1/-1 -1/-1 -1/-1 2000/100000
delay_access 1 deny premiumacl
delay_access 1 allow authenticated
delay_access 1 deny all
delay_parameters 2 -1/-1 -1/-1 -1/-1 200000/10000000
delay_access 2 allow premiumacl
delay_access 2 deny all
all users have to authenticate using the basic auth, and all users login
names must be checked by the external_acl to determine the correct delay
pool they belong to.
Problem: it doesn't work in the above setup, although expected: all
basic-authenticated users get the delay_pool 1, my external_acl helper
is not queried.
Only if i enable "http_access allow premiumacl" to make an unneccessary
check for http_access,
squid polls the external_acl and everything works fine..
I'm not sure if this is a bug or something i don't understand yet,
please help me:-)
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs
external ACL is a "slow" group ACL and delay_access is a "FAST" group
access control directive.
You do need to add "http_access allow premiumacl" like you found. In
order to prevent it causing authentication challenges or affecting the
actual allow/deny you tack "!all" on the end:
http_access allow premiumacl !all
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
