On 29/07/2014 4:42 a.m., Steve Hill wrote: > > I'm trying to build ACLs based on the tags returned by an external ACL, > but I can't get it to work. > > These are the relevant bits of my config: > > external_acl_type preauth children-max=1 concurrency=100 ttl=0 > negative_ttl=0 %SRC %>{User-Agent} %URI %METHOD /usr/sbin/squid-preauth > acl preauth external preauth > acl need_http_auth tag http_auth > http_access allow !tproxy !tproxy_ssl !https preauth > http_access allow !preauth_done preauth_tproxy > http_access allow proxy_auth postauth > > > > I can see the external ACL is being called and setting various tags: > > 2014/07/28 17:29:40.634 kid1| external_acl.cc(1503) Start: > externalAclLookup: looking up for '2a00:1a90:5::14 > Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in > 'preauth'. > 2014/07/28 17:29:40.634 kid1| external_acl.cc(1513) Start: > externalAclLookup: will wait for the result of '2a00:1a90:5::14 > Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in > 'preauth' (ch=0x7f1409a399f8). > 2014/07/28 17:29:40.634 kid1| external_acl.cc(871) aclMatchExternal: > "2a00:1a90:5::14 Wget/1.12%20(linux-gnu) > http://nexusuk.org/%7Esteve/empty GET": return -1. > 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: preauth = -1 > async > 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: > http_access#7 = -1 async > 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: http_access > = -1 async > 2014/07/28 17:29:40.635 kid1| external_acl.cc(1371) > externalAclHandleReply: reply={result=ERR, notes={message: > 53d67a74$2a00:1a90:5::14$baa34e80d2d5fb2549621f36616dce9000767e93b6f86b5dc8732a8c46e676ff; > tag: http_auth; tag: cp_auth; tag: preauth_ok; tag: preauth_done; }} Hi Steve, This is how tag= keys were originally designed to work. Only to allow one tag to be assigned to any HTTP transaction. The tag type ACL and %EXT_TAG configurations still operate that way. The "note" ACL type should match against values in the tag key name same as any other annotation. If that does not work try a different key name than "tag=". Amos