I have these acl settings in my squid.conf external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %>{X-MYAUTH} /usr/local/bin/acexternal localhost acl iceauth external acexternal http_access allow iceauth http_access deny all I turned on debug mode and see the following message. I noticed that there is a message (in red) saying that the externalAclLookup: no need to work... This custom external acl program should return "OK", but because of "no wait" situation, it get to the "http_access deny all" acl and the request got denied 2011/12/28 21:54:38.052| ACL::checklistMatches: checking 'iceauth' 2011/12/28 21:54:38.052| aclMatchExternal: acexternal("Basic%20bXlLZXk6bXlWYWx1ZQ==") = lookup needed 2011/12/28 21:54:38.052| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==": entry=@0x23adf58, age=20 2011/12/28 21:54:38.052| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==": queueing a call. 2011/12/28 21:54:38.052| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==": return -1. 2011/12/28 21:54:38.052| ACL::ChecklistMatches: result for 'iceauth' is -1 2011/12/28 21:54:38.052| ACLList::matches: result is false 2011/12/28 21:54:38.052| aclmatchAclList: 0x23a5698 returning false (AND list entry failed to match) 2011/12/28 21:54:38.052| ACLChecklist::asyncInProgress: 0x23a5698 async set to 1 2011/12/28 21:54:38.052| externalAclLookup: lookup in 'acexternal' for 'Basic%20bXlLZXk6bXlWYWx1ZQ==' 2011/12/28 21:54:38.052| externalAclLookup: looking up for 'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal'. 2011/12/28 21:54:38.052| The AsyncCall SomeCommWriteHander constructed, this=0x49f8e40 [call33951] 2011/12/28 21:54:38.052| comm_write: FD 13: sz 29: asynCall 0x49f8e40*1 2011/12/28 21:54:38.052| helperDispatch: Request sent to acexternal #1, 29 bytes 2011/12/28 21:54:38.052| externalAclLookup: no need to wait for the result of 'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal' (ch=0x23a5698). 2011/12/28 21:54:38.052| externalAclLookup: using cached entry 0x23adf58 2011/12/28 21:54:38.052| externalAclLookup: entry = { date=1325109258, result=1, user= tag= log=myKey } 2011/12/28 21:54:38.052| ACLChecklist::asyncInProgress: 0x23a5698 async set to 0 2011/12/28 21:54:38.052| aclmatchAclList: async=1 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2011/12/28 21:54:38.052| ACLChecklist::preCheck: 0x23a5698 checking 'http_access deny all' 2011/12/28 21:54:38.052| ACLList::matches: checking all 2011/12/28 21:54:38.052| ACL::checklistMatches: checking 'all' 2011/12/28 21:54:38.052| aclIpMatchIp: '99.139.51.143:50924' found 2011/12/28 21:54:38.052| ACL::ChecklistMatches: result for 'all' is 1 2011/12/28 21:54:38.052| ACLList::matches: result is true 2011/12/28 21:54:38.052| aclmatchAclList: 0x23a5698 returning true (AND list satisfied) 2011/12/28 21:54:38.052| ACLChecklist::markFinished: 0x23a5698 checklist processing finished 2011/12/28 21:54:38.052| ACLChecklist::check: 0x23a5698 match found, calling back with 0 2011/12/28 21:54:38.052| ACLFilledChecklist::checkCallback: 0x23a5698 answer=0 2011/12/28 21:54:38.052| ACLChecklist::checkCallback: 0x23a5698 answer=0 2011/12/28 21:54:38.052| The request GET http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=300x250_rgt&cnn_rollup=homepage&page.allowcompete=no¶ms.styles=fs&Params.User.UserID=4ec9e30a00bda60a3d146c5688a5565b&transactionID=3837608671874259&tile=1217729015231&domId=263095 is DENIED, because it matched 'all' =========== Then I played around the acl and have the following setup using "deny !" instead of "allow" on iceauth. But then I need to use "allow all" instead of "deny all"... external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %>{X-MYAUTH} /usr/local/bin/acexternal localhost acl iceauth external acexternal http_access deny !iceauth http_access allow all I noticed that in the debug message, the same "no wait" message above turned into a "will wait" situation (see below message in red). Since it waits, it got "OK" returned from the custom acl program. It seems works for what I need but I need to use "allow all" that I don't really like. 2011/12/29 22:41:01.847| aclMatchExternal: acexternal("Basic%20bXlLZXk6bXlWYWx1ZQ==") = lookup needed 2011/12/29 22:41:01.847| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==": entry=@0xd56828, age=26 2011/12/29 22:41:01.847| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==": queueing a call. 2011/12/29 22:41:01.847| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==": return -1. 2011/12/29 22:41:01.847| ACL::ChecklistMatches: result for 'iceauth' is -1 2011/12/29 22:41:01.847| ACLList::matches: result is false 2011/12/29 22:41:01.847| aclmatchAclList: 0xe09f38 returning false (AND list entry failed to match) 2011/12/29 22:41:01.847| ACLChecklist::asyncInProgress: 0xe09f38 async set to 1 2011/12/29 22:41:01.847| externalAclLookup: lookup in 'acexternal' for 'Basic%20bXlLZXk6bXlWYWx1ZQ==' 2011/12/29 22:41:01.847| externalAclLookup: looking up for 'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal'. 2011/12/29 22:41:01.847| The AsyncCall SomeCommWriteHander constructed, this=0xe6dd80 [call25811] 2011/12/29 22:41:01.847| comm_write: FD 13: sz 29: asynCall 0xe6dd80*1 2011/12/29 22:41:01.847| helperDispatch: Request sent to acexternal #1, 29 bytes 2011/12/29 22:41:01.847| externalAclLookup: will wait for the result of 'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal' (ch=0xe09f38). 2011/12/29 22:41:01.847| aclmatchAclList: async=1 nodeMatched=0 async_in_progress=1 lastACLResult() = 0 finished() = 0 2011/12/29 22:41:01.847| client_side.cc(2297) connNoteUseOfBuffer: conn->in.notYetUsed = 0 2011/12/29 22:41:01.847| clientReadSomeData: FD 12: reading request... 2011/12/29 22:41:01.847| The AsyncCall ConnStateData::clientReadRequest constructed, this=0xeadcf0 [call25812] 2011/12/29 22:41:01.847| comm_read, queueing read for FD 12; asynCall 0xeadcf0*1 2011/12/29 22:41:01.847| ConnStateData status out: [ job2322] 2011/12/29 22:41:01.847| leaving ConnStateData::clientReadRequest(FD 12, data=0xd89938, size=1377, buf=0xd88dd4) 2011/12/29 22:41:01.847| commHandleWrite: FD 13: off 0, sz 29. 2011/12/29 22:41:01.848| commHandleWrite: write() returns 29 2011/12/29 22:41:01.848| commio_finish_callback: called for FD 13 (0, 0) 2011/12/29 22:41:01.848| comm.cc(165) will call SomeCommWriteHander(FD 13, data=0xb1fd48, size=29, buf=0xf42980) [call25811] 2011/12/29 22:41:01.848| entering SomeCommWriteHander(FD 13, data=0xb1fd48, size=29, buf=0xf42980) 2011/12/29 22:41:01.848| AsyncCall.cc(32) make: make call SomeCommWriteHander [call25811] 2011/12/29 22:41:01.848| leaving SomeCommWriteHander(FD 13, data=0xb1fd48, size=29, buf=0xf42980) 2011/12/29 22:41:01.848| comm_read_try: FD 13, size 8191, retval 13, errno 0 2011/12/29 22:41:01.848| commio_finish_callback: called for FD 13 (0, 0) 2011/12/29 22:41:01.848| comm.cc(165) will call SomeCommReadHandler(FD 13, data=0xb1fd48, size=13, buf=0xb1fe10) [call25764] 2011/12/29 22:41:01.848| entering SomeCommReadHandler(FD 13, data=0xb1fd48, size=13, buf=0xb1fe10) 2011/12/29 22:41:01.848| AsyncCall.cc(32) make: make call SomeCommReadHandler [call25764] 2011/12/29 22:41:01.848| helperHandleRead: 13 bytes from acexternal #1 2011/12/29 22:41:01.848| helperHandleRead: end of reply found 2011/12/29 22:41:01.848| externalAclHandleReply: reply="OK log=myKey" 2011/12/29 22:41:01.848| external_acl_cache_add: Adding 'Basic%20bXlLZXk6bXlWYWx1ZQ==' = 1 2011/12/29 22:41:01.848| ExternalACLEntry::update: updating existing entry 2011/12/29 22:41:01.848| ACLChecklist::asyncInProgress: 0xe09f38 async set to 0 2011/12/29 22:41:01.848| ACLChecklist::preCheck: 0xe09f38 checking 'http_access deny !iceauth' 2011/12/29 22:41:01.848| ACLList::matches: checking !iceauth 2011/12/29 22:41:01.848| ACL::checklistMatches: checking 'iceauth' 2011/12/29 22:41:01.848| Ming:aclMatchExternal: not ours entryKey="0xcf7d10" 2011/12/29 22:41:01.848| aclMatchExternal: acexternal = 1 2011/12/29 22:41:01.848| ACL::ChecklistMatches: result for 'iceauth' is 1 2011/12/29 22:41:01.848| ACLList::matches: result is false - Can you please explain why there is a "no wait" in the 1st setup, but "will wait" in the 2nd setup? - I don't want to use "allow all". is there any better way to set the acl to serve my need? - Any feedback will be greatly appreciated. Ming -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-and-Splash-page-tp3473302p4245032.html Sent from the Squid - Users mailing list archive at Nabble.com.