Hey Roee, I am trying to understand what part of squid.conf you want to be able to change without a reconfigure/reload? If you have many users, ie above 50 you should probably not use a simple ncsa_auth although it's possible and in more then one case is preferable. You could probably write your own basic auth helper that will interact with a DB which will probably simplify your whole setup. (You can use existing basic auth helpers with mysql or ldap) As for the tcp_outgoing_address, it’s a whole different story. Since it's a "fast" acl type the options to do something dynamic with it are an issue. (Maybe eCAP/ICAP service or a "pre-cooked" note or other factor to the acl can be used) I am pretty sure that if an authentication service can reply with a note ie connection annotation then it can be used for the address selection. One issue with it is that It will be valid for the next X ttl seconds/minutes/hours. I do believe that there should be a way to allow something like external_acl helper to affect this squid feature. I was thinking that an eCAP or an ICAP service or an external_acl helper can add a note for a connection based on couple other factors like: * src ip * auth username * request domain or request sni * ... So let say the proxy will have a set of 100 addresses, each will have a single specific matching acl for a request header or connection annotation/note. This way the selection of a tcp_outgoing_address would be a little less complex the it is today. I have couple other ideas for implementations which I have experimented with but the proxy admin need to learn how these work which might be a bit complicated some times. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of roee klinger Sent: Saturday, October 31, 2020 2:35 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Best practice for adding or removing ACLs dynamically ? Hey, I have Squid configured to send users to different outgoing interface like so: .. auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpassword acl acl_for_user3002 proxy_auth user2 tcp_outgoing_address 192.168.8.12 acl_for_user3002 http_port 3002 name=3002 http_access allow authenticated .. When I wanted to change the username:password for user2, I run a bash script to change it in squid.conf and also in htpassword and then I run "squid -k reconfigure", if I don't reconfigure the old user still has access to the proxy and the new one doesn't for about 30 minutes. I am expecting to have 100s of users soon that will change credentials often, and also I would like to blacklist websites often and on the fly, so I was searching for a better way to manage this without reconfiguring every time, since sometimes a reconfigure can take up to 10-15 seconds. I am new to Squid and wasn't able to find any info on this, am I doing this currently or there is a better way to change users/ACLs on the fly without reloading Squid? Thanks, Roee Klinger _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
