On 10/18/2018 07:23 AM, Danilo V wrote: > Please check where is my mistake. > > I implemented a custom external ACL ... but you are not _using_ that new "some_group" ACL. An ACL has no effect unless it is actually used in some ACL-driven directive. You probably want to add some_group to your http_access rules. > http_port 3128 > auth_param basic program ... > acl login proxy_auth REQUIRED > http_access deny !login > external_acl_type group ttl=360 ipv4 %LOGIN /ext_danilo_ldap_group.sh > acl some_group external group Internet_Access > acl groupInternet note group Internet_Access > delay_pools 1 > delay_class 1 1 > delay_parameters 1 128000/128000 > delay_access 1 allow groupInternet Alex. > The external ACL type which handles such complex non-traffic things is > clearly listed in the Squid FAQ (and the 'acl' directive documentation) > as being a "slow" / async ACL type. > > Delay pools is also clearly listed as an access control which only works > with "fast" category ACL types. > > <https://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs> > Your external ACL just needs to supply Squid with a "tag=XX" or > "group=XX " annotation to label the transaction with whichever group > matches. > > # login is required to do group checking... > acl login proxy_auth REQUIRED > http_access deny !login > > > # the decision to allow the traffic into the proxy does group checks > and adds annotations... > > external_acl_type group %LOGIN ... > acl some_group external group XX > > http_access allow some_group_check > > > # the decision of what pool(s) to apply has to work FAST - so uses the > annotations already present or not present) as its decider: > > acl groupXX note group XX > > # or for older Squid > acl groupXX note tag XX > > delay_access N allow groupXX > > > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
