Hello, One more question to be sure to understand some details: > Le 20/06/2017 à 14:46, Amos Jeffries a écrit : >> On 20/06/17 22:55, FUSTE Emmanuel wrote: >>> Hello, >>> >>> I need to select a cache peer based on the user group. >>> As cache_peer_access need a fast acl to have predicable result, I tried to >>> - annotate transactions with "note" >>> - match the annotation with a fast acl >>> - use the acl in the cache_peer_access directive >>> >>> But I still got warning about slow acl in use where fast are required. >>> I am missing something ? >> The 'note' directive (different from the note ACL type) itself is a >> "fast" access control whose purpose is to add things into the log file. >> It only does its thing at the termination of a transaction right before >> logging. >> >> >> What you are wanting is to alter the external_acl_type helper (or write >> a script wrapper for it that changes the output). Such that when Squid >> sends it a lookup it generates an response to Squid saying something >> like this: >> >> OK profil="$group_name" >> >> (where $group_name, is the group which matched) >> >> >> When that is working you can also vastly simplify your squid.conf by >> replacing all these: >> >> acl StandardUser external ldap_group ACCESINTERNET >> acl VIPUser external ldap_group ACCESCHARGEDECOM >> acl NoNetUser external ldap_group INITIAL >> >> ... with a single helper ACL test: >> acl group external ldap_group ACCESINTERNET ACCESCHARGEDECOM INITIAL >> >> ... which gets run only for authenticated users: >> http_access deny !AuthorizedUsers >> http_access allow group >> >> ... and use the note ACLs to do all your other access controls: >> acl StandardUser note profil ACCESINTERNET >> acl VIPUser note profil ACCESCHARGEDECOM >> acl NoNetUser note profil INITIAL So arbitrary k- v pair not used by the acl helper protocol could be matched against with the note acl ? How it relate to the defined/reserved tag= and clt_conn_tag= keywords of the acl helper protocol ? The helper is modified to return profil="$group_name" when the group match. It work. Will test it on a squid instance with note acl tomorrow. Emmanuel. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
