On 06/05/2018 04:51 AM, Amos Jeffries wrote: > The adaptor API purpose is to alter HTTP messages as they travel through > the proxy, not to be a substitute for access control logic already > available in the proxy. This statement is incorrect for legitimate use cases where the required access control logic is not supported by Squid internally. A typical alternation-free example is content analysis (which Squid ACLs cannot perform). > So what your adaptor SHOULD be doing is simply > producing the 403 Forbidden message itself. Sometimes, that is the best solution indeed, but it may also be a bad solution in some cases because it can be slower and because it duplicates (or discards) a lot of advanced functionality already implemented in Squid. The rule of thumb here is "If Squid can generate the right blocking message, use Squid (instead of the adapter) to generate the right blocking message". > By using a header as described you are forcing Squid to: > receive adapted message from eCAP > re-parse that altered message, > erase that altered message, > generate a new denial (403) message, and > deliver to client. Adapter implementors are not "forced" to use the above sequence of steps: The first three steps do not have to happen (they are optional). An optimized adapter implementation that lets Squid generate the blocking message is limited to the last two steps from your list: generate a new denial (403) message, and deliver to client. > There is an "external ACL" interface provided for complex authorization > logics to be offloaded to a helper process with more capabilities than > the proxy. That should be used instead of eCAP/ICAP adaptors. An adapter may be a better solution than the external ACL in some cases. The actual decision logic here is roughly as follows: * If built-in ACLs alone are sufficient, then use just the built-in ACLs. They are usually simpler and faster. * If an external ACL is sufficient and performance is not an issue, then use an external ACL. It is a lot simpler to implement than an adapter. * If the decision logic involves message body analysis, then use an eCAP adapter or an ICAP service. Others do not get content. * Otherwise, carefully evaluate external ACLs vs eCAP adapter choice given your use case specifics. eCAP can be faster than an external ACL or vice versa. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
