On 16/09/21 10:09 pm, David Touzeau wrote:
Hi comunity, Squid fans
I would like to use an external acl process for Geoip processing
i have tried to setup squid to send the remote peer address using %<a
code but it always reply with a "-"
external_acl_type MyGeopip ttl=3600 negative_ttl=3600 children-startup=2
children-idle=2 children-max=20 concurrency=1 ipv4 %un %SRC %SRCEUI48
%>ha{X-Forwarded-For} %DST %ssl::>sni %USER_CERT_CN %note %<a
/lib/squid3/squid-geoip
acl MyGeopip_acl external MyGeopip
http_access deny !MyGeopip_acl
I was thinking that Squid call the helper before resolving the remote route.
The problem is there is no server/peer connection at all for a
transaction that has only been received and not yet processed by Squid.
So to force it, i have added a "fake" acl to force Squid to calculate
the remote address.
acl fake_dst dst 127.0.0.2
http_access deny !fake_dst !MyGeopip_acl
But it failed too, the external_acl still receive the "-" instead of the
remote public IP address of the server
Aye. There is still no server.
All this dst ACL changed was that Squid knows a group of IPs it *might*
select from. The decision whether to use one of them (or somewhere
entirely different) has not yet been made, so there is still no server.
The "%<a" displays the "last server or peer connection". It can change
when automated retries are done, and is "-" at all points before any
server contact.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
