Hey Amos, One thing that the auth helper cannot do with this note is the ttl. The auth ttl is different then the request IP binding/routing. With separated auth and external_acl helper you can change/apply a note/rule/acl in a lower ttl ie 3 seconds which can be critical to some applications. If one ip goes down for any reason you can change the routing. I would have expected for the note to stick if the ttl is either 0 or 1 for the relevant session. This so we would rely on the helper to be "live" helper per request. I know that 0-3 is almost the same like 0-5 but some prefer to use 0-1. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries Sent: Tuesday, January 12, 2021 3:46 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: cache_peer selection based on username On 11/01/21 8:06 am, roee klinger wrote: > Thanks, Eliezer, I was able to get it working. > Here is an example in case anybody runs into this in the future: > > acl mynote1 note mykey note1 > acl mynote2 note mykey note2 > FYI, key names ending with "_" character are reserved for custom keys like this. > external_acl_type user_whitelist_external children-max=20 ttl=300 > %>lp %>a script.sh NP: this does not check for users or authenticated traffic at all. It is only using the client-IP and Squid receiving port number. To meet the earlier stated requirement about authenticated traffic the helper format should contain %un. The lines below should follow the http_access rules doing authentication checks. You could also have the helper doing authentication send the notes to Squid. eg as a group name. > acl whitelisted_users external user_whitelist_external > http_access allow whitelisted_users > > nonhierarchical_direct off > never_direct allow all > cache_peer 192.168.8.1 parent 101 0 proxy-only default name=proxy1 > cache_peer_access proxy1 allow mynote1 > cache_peer_access proxy0.2 deny all > cache_peer 192.168.8.2 parent 102 0 proxy-only default name=proxy2 > cache_peer_access proxy2 allow mynote2 > cache_peer_access proxy0.3 deny all > NP: there is no peer named "proxy0.2" or "proxy0.3" so those deny lines are not doing anything. The only reason this config does what it appears at first glance to do, is that the inverted default for the prox1 and proxy2 peer access rules default is deny. > > Then, on the external helper, I return one of these two: > > OK mykey=note1 > OK mykey=note2 > > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users