Amos,
Would an ICAP service that sits on the RESPMOD vector would be a better
solution other then opening a new session?
Thanks,
Eliezer
On 2018-09-24 12:30, Amos Jeffries wrote:
On 24/09/18 6:38 PM, uppsalanet wrote:
Hi Amos,
Today I have a conf like this:
....
acl *LIB_domains* dstdomain .almedalsbiblioteket.se .alvin-portal.org
.bibliotekuppsala.se
http_access allow *LIB_domains*
....
Now I also need to open for *.browzine.com*. The problem with
*.browzine.com* is that it is a portal with many links to other sites.
So I
basically need to open up and maintain 400 sites in a squid ACL.
I would like to take another approach then (but I don't know if it's
possible):
I know that browzine.com will reply 302 when trying to access a link
on
their site. *So I would like to accept all redirect (302) sites from
browzine.com*.
Aha, that is clearer. Thank you.
I think you can possibly achieve this, but *only* because of those 302
existing. If the site were just a collection of links it would be very
much more difficult.
What I am thinking of is to use a custom external ACL script that
creates a temporary browsing session for a client when the 302 arrives
then the SQL session helper to allow matching traffic through for the
followup request from that client.
You will need a database with a table created like this:
CREATE TABLE sessions (
id VARCHAR(256) NOT NULL PRIMARY KEY,
enabled DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
)
You need to write a script which receives an IP and a URL from Squid,
extracts the domain name from the URL, then adds a string "$ip $domain"
to that table as the id column, then returns the "OK" result to Squid.
The page at
<http://www.squid-cache.org/Versions/v4/manuals/ext_sql_session_acl.html>
has
details of the SQL session helper that uses that table to check for
whitelisted domains.
Your config would look like:
acl 302 http_status 302
acl browzine dstdomain .browzine.com
external_acl_type whitelist_add %SRC %{Location} \
/path/to/whitelist_script
acl add_to_whitelist external whitelist_add
http_reply_access allow browzine 302 add_to_whitelist
http_reply_access allow all
external_acl_type whitelist ttl=60 %SRC %DST \
/usr/lib/squid/ext_session_db_acl \
--dsn ... --user ... --password ... \
--table sessions --cond ""
acl whitelisted external whitelist
http_access allow whitelisted
To have sessions expire simply remove them from the database table.
Squid will start rejecting traffic there within 60 seconds of the
removal.
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
