On 3/12/18 12:41 am, Amish wrote: > > > On 02/12/18 3:20 pm, Amos Jeffries wrote: >> On 2/12/18 5:31 pm, Amish wrote: >>> On 02/12/18 9:33 am, Alex Rousskov wrote: >>>> To reduce long-term headaches, I think we should be strict and >>>> deprecate >>>> (and then prohibit) ignoring duplicated external_acl_type declarations. >>>> >>>> I do not see any good reasons for ignoring this configuration error >>>> forever. FWIW, the use case discussed in this thread is not a good >>>> reason IMO because Squid configuration in question can and should be >>>> easily generated (probably from a stable template) to correctly >>>> accommodate the needs of the current authentication method. >>>> >>> Thank you for your clarification. >>> >>> Now I am looking for alternate ways I can resolve my issue. >>> >> What is wrong with %un that makes it unusable? >> >> It will contain username when Squid has been told a username and '-' >> when none is known. > > I believe you missed my reply. Here is the archive link to it: > > http://lists.squid-cache.org/pipermail/squid-users/2018-December/019759.html > Ah, yes it has not arrived here for some reason. There are actually _up to four_ helper checks being done when %ul is used. Performance optimizations in Squid were/are preventing them being very visible for Basic auth type and external ACL. But the helper state is still being checked and if any of the cache TTLs end the check may fall through to do a full helper query. * Each test of the proxyuser ACL involves a check of the external helper cache. - If there was no cached result with that exact pattern a fully query is sent. * Each test of the cache for an external helper using %ul (aka. %LOGIN) requires a check of the auth_param helper cache (if any). - If there was no cached result with that exact pattern OR if the auth scheme does not cache results, a fully query is sent to the auth_param helper. With your config and %ul: - (1) the auth_param helper is asked to login the client and provide a username then: - (2A) the external ACL helper is asked if "user=X" username is okay OR: - (2B) the external ACL helper is asked if "-" username is okay then: - (3) the auth_param helper is asked to login the client and provide a username then: - (4A) the external ACL helper is asked if "user=X" username is okay OR: - (4B) the external ACL helper is asked if "-" username is okay With your config and %un: - (1) the external ACL helper is asked if "-" username is okay, then: - (2A) the external ACL helper is asked if "user=X" username is okay OR: - (2B) the external ACL helper is asked if "-" username is okay For optimal performance (under either setup) you need to restructure these lines: http_access allow proxyuser restrictedports http_access allow proxyuser restrictedsites such that the helper is not being used multiple times: http_access deny !proxyuser http_access allow restrictedports http_access allow restrictedsites Or, acl restrictedPlaces anyof restrictedports restrictedsites http_access allow proxyuser restrictedPlaces Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
