On 20/06/17 22:55, FUSTE Emmanuel wrote:
Hello,
I need to select a cache peer based on the user group.
As cache_peer_access need a fast acl to have predicable result, I tried to
- annotate transactions with "note"
- match the annotation with a fast acl
- use the acl in the cache_peer_access directive
But I still got warning about slow acl in use where fast are required.
I am missing something ?
The 'note' directive (different from the note ACL type) itself is a
"fast" access control whose purpose is to add things into the log file.
It only does its thing at the termination of a transaction right before
logging.
What you are wanting is to alter the external_acl_type helper (or write
a script wrapper for it that changes the output). Such that when Squid
sends it a lookup it generates an response to Squid saying something
like this:
OK profil="$group_name"
(where $group_name, is the group which matched)
When that is working you can also vastly simplify your squid.conf by
replacing all these:
acl StandardUser external ldap_group ACCESINTERNET
acl VIPUser external ldap_group ACCESCHARGEDECOM
acl NoNetUser external ldap_group INITIAL
... with a single helper ACL test:
acl group external ldap_group ACCESINTERNET ACCESCHARGEDECOM INITIAL
... which gets run only for authenticated users:
http_access deny !AuthorizedUsers
http_access allow group
... and use the note ACLs to do all your other access controls:
acl StandardUser note profil ACCESINTERNET
acl VIPUser note profil ACCESCHARGEDECOM
acl NoNetUser note profil INITIAL
PS.
maximum_object_size_in_memory 50 MB
logformat squid [%tl] %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
FYI: please do not try to define that "squid" log format in squid.conf.
Squid does not follow that instruction, and may do unexpected things as
a result. The latest releases will refuse to start if squid.conf
contains these.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
