On 25/01/2017 10:29 p.m., hoper@xxxxxxx wrote:
>
> Hi everybody,
>
> I really try to find a answer with google, and within
> the archives of this mailing list but couldn't find anything
> so... here I am...
>
> I need to select a squid parent based on the login of the
> user (and others things). With squid 2.7, I had a configuration
> like this one :
>
> -------------------------------------------------------------
> cache_peer 169.254.1.1 parent 3128 0 default name=parent1
> cache_peer 169.254.1.2 parent 3128 0 default name=parent2
> [...] (many parents)
>
> external_acl_type choose_parent ttl=60,children-max=1 %EXT_USER %SRC %LOGIN %ACL /home/user/myhelper.sh
> acl p0 external choose_parent
>
> external_acl_type myparent1 ttl=60,children-max=1 %ACL %EXT_USER /home/user/another_helper
> acl p1 external myparent1
> external_acl_type myparent2 ttl=60,children-max=1 %ACL %EXT_USER /home/user/another_helper
> acl p2 external myparent2
> [...]
>
> cache_peer_access parent1 allow p1
> cache_peer_access parent2 allow p2
> [...]
>
> cache_peer_access path1 deny all
> cache_peer_access path2 deny all
> [...]
>
> ---------------------------------------------------------------
>
> The idea is to deny all squid parents except the one I want this user
> (with this specific IP and so on) to use.
>
> But with squid3, I just have lot's of error in cache.log:
>
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(868) aclMatchExternal: myparent1("p1 p1") = lookup needed
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(871) aclMatchExternal: "p1 p1": queueing a call.
> 2017/01/25 10:22:16.053 kid1| Checklist.cc(115) goAsync: 0x7fff415cf470 a fast-only directive uses a slow ACL!
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(873) aclMatchExternal: "p1 p1": no async support!
> 2017/01/25 10:22:16.053 kid1| external_acl.cc(874) aclMatchExternal: "p1 p1": return -1.
>
> The documentation made it perfectly clear that "cache_peer_acccess" is a "fast ACL" that can only use fast ones...
> But I really need to use external "slow" acl. Please, is there a way to do it ?
> Again, this was working in 2.7 :(
Well, no. 2.7 was just being silent about the situation and guessing
whether you wanted OK/ERR result. Whereas Squid-3 tells you when the
fast-only cannot handle the ACL check results.
What you need to do is perform the external ACL check during one of the
*_access checks that permites slow lookups. eg. http_access.
Then use the 'note' ACL type in your fast-only access controls to check
some annotation that the helper returns to Squid.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
