Search squid archive

Re: External ACL tags

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 29/07/2014 4:42 a.m., Steve Hill wrote:
> 
> I'm trying to build ACLs based on the tags returned by an external ACL,
> but I can't get it to work.
> 
> These are the relevant bits of my config:
> 
> external_acl_type preauth children-max=1 concurrency=100 ttl=0
> negative_ttl=0 %SRC %>{User-Agent} %URI %METHOD /usr/sbin/squid-preauth
> acl preauth external preauth
> acl need_http_auth tag http_auth
> http_access allow !tproxy !tproxy_ssl !https preauth
> http_access allow !preauth_done preauth_tproxy
> http_access allow proxy_auth postauth
> 
> 
> 
> I can see the external ACL is being called and setting various tags:
> 
> 2014/07/28 17:29:40.634 kid1| external_acl.cc(1503) Start:
> externalAclLookup: looking up for '2a00:1a90:5::14
> Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in
> 'preauth'.
> 2014/07/28 17:29:40.634 kid1| external_acl.cc(1513) Start:
> externalAclLookup: will wait for the result of '2a00:1a90:5::14
> Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in
> 'preauth' (ch=0x7f1409a399f8).
> 2014/07/28 17:29:40.634 kid1| external_acl.cc(871) aclMatchExternal:
> "2a00:1a90:5::14 Wget/1.12%20(linux-gnu)
> http://nexusuk.org/%7Esteve/empty GET": return -1.
> 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: preauth = -1
> async
> 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked:
> http_access#7 = -1 async
> 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: http_access
> = -1 async
> 2014/07/28 17:29:40.635 kid1| external_acl.cc(1371)
> externalAclHandleReply: reply={result=ERR, notes={message:
> 53d67a74$2a00:1a90:5::14$baa34e80d2d5fb2549621f36616dce9000767e93b6f86b5dc8732a8c46e676ff;
> tag: http_auth; tag: cp_auth; tag: preauth_ok; tag: preauth_done; }}

Hi Steve,
 This is how tag= keys were originally designed to work. Only to allow
one tag to be assigned to any HTTP transaction. The tag type ACL and
%EXT_TAG configurations still operate that way.

The "note" ACL type should match against values in the tag key name same
as any other annotation. If that does not work try a different key name
than "tag=".

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux