I'm trying to build ACLs based on the tags returned by an external ACL,
but I can't get it to work.
These are the relevant bits of my config:
external_acl_type preauth children-max=1 concurrency=100 ttl=0
negative_ttl=0 %SRC %>{User-Agent} %URI %METHOD /usr/sbin/squid-preauth
acl preauth external preauth
acl need_http_auth tag http_auth
http_access allow !tproxy !tproxy_ssl !https preauth
http_access allow !preauth_done preauth_tproxy
http_access allow proxy_auth postauth
I can see the external ACL is being called and setting various tags:
2014/07/28 17:29:40.634 kid1| external_acl.cc(1503) Start:
externalAclLookup: looking up for '2a00:1a90:5::14
Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in 'preauth'.
2014/07/28 17:29:40.634 kid1| external_acl.cc(1513) Start:
externalAclLookup: will wait for the result of '2a00:1a90:5::14
Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in
'preauth' (ch=0x7f1409a399f8).
2014/07/28 17:29:40.634 kid1| external_acl.cc(871) aclMatchExternal:
"2a00:1a90:5::14 Wget/1.12%20(linux-gnu)
http://nexusuk.org/%7Esteve/empty GET": return -1.
2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: preauth = -1
async
2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked:
http_access#7 = -1 async
2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: http_access
= -1 async
2014/07/28 17:29:40.635 kid1| external_acl.cc(1371)
externalAclHandleReply: reply={result=ERR, notes={message:
53d67a74$2a00:1a90:5::14$baa34e80d2d5fb2549621f36616dce9000767e93b6f86b5dc8732a8c46e676ff;
tag: http_auth; tag: cp_auth; tag: preauth_ok; tag: preauth_done; }}
But then when I test one of the tags, it seems that it isn't set:
2014/07/28 17:29:40.636 kid1| Acl.cc(157) matches: checking !preauth_done
2014/07/28 17:29:40.636 kid1| Acl.cc(157) matches: checking preauth_done
2014/07/28 17:29:40.636 kid1| StringData.cc(81) match:
aclMatchStringList: checking 'http_auth'
2014/07/28 17:29:40.636 kid1| StringData.cc(85) match:
aclMatchStringList: 'http_auth' NOT found
2014/07/28 17:29:40.636 kid1| Acl.cc(177) matches: checked: preauth_done = 0
2014/07/28 17:29:40.636 kid1| Acl.cc(177) matches: checked:
!preauth_done = 1
It looks to me like its probably only looking at the first tag that the
ACL returned - is this a known bug? I couldn't spot anything in Bugzilla.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve@xxxxxxxxxxxx
Email: steve@xxxxxxxxxxxx
Phone: sip:steve@xxxxxxxxxxxx
Sales / enquiries contacts:
Email: sales@xxxxxxxxxxxx
Phone: +44-844-9791439 / sip:sales@xxxxxxxxxxxx
Support contacts:
Email: support@xxxxxxxxxxxx
Phone: +44-844-4844916 / sip:support@xxxxxxxxxxxx
