I have the following acl in my squid.conf
external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %>{X-MYAUTH} /usr/local/bin/acexternal localhost
acl iceauth external acexternal
http_access allow iceauth
http_access deny all
question on TTL expiration on the external_acl_type. When a external acl cached_result is expired due to TTL timeout, seems like squid will do a async call to the external acl program, acexternal in this case above, to validate the acl request.
if the async call acexternal does not return result before the "http_access deny all" is executed, will squid consider it is a 403 situation?
Thanks
Ming
On Dec 28, 2011, at 6:47 PM, Amos Jeffries wrote:
> On 28/12/2011 3:19 p.m., Ming Pun wrote:
>> Thanks for the prompt response. It is very useful. I was playing external_acl_type to understand how it works.
>>
>> a couple of questions
>> - when a request did not pass external acl , I got a HTTP 403. How can I make it to return 401 instead?
>
> That is automatic when the %LOGIN tag is set for the helper input format. %LOGIN pulls credentials out of HTTP authentication headers.
>
> Alternatively the latest squid can attach a deny_info display or redirect with custom status code when the ACL test is last on an access line (ie "http_acces deny").
>
>> - how do I write an external acl program to support concurrency? I followed some example on the internet. The program basically parses stdio for input parameters, and writes out the result to stdout?
>
> Yes. The helper protocol is documented here http://wiki.squid-cache.org/Features/AddonHelpers#Access_Control_.28ACL.29
>
> Amos
