Thanks Amos for quick answer.
Can you take away any hope of a workaround with Squid ?
This makes me plan having to develop a function that has to
perform DNS resolution inside the helper with the performance
consequences that this will impose.
Le 16/09/2021 à 16:21, Amos Jeffries a
écrit :
On
16/09/21 10:09 pm, David Touzeau wrote:
Hi comunity, Squid fans
I would like to use an external acl process for Geoip processing
i have tried to setup squid to send the remote peer address
using %<a code but it always reply with a "-"
external_acl_type MyGeopip ttl=3600 negative_ttl=3600
children-startup=2 children-idle=2 children-max=20 concurrency=1
ipv4 %un %SRC %SRCEUI48 %>ha{X-Forwarded-For} %DST
%ssl::>sni %USER_CERT_CN %note %<a
/lib/squid3/squid-geoip
acl MyGeopip_acl external MyGeopip
http_access deny !MyGeopip_acl
I was thinking that Squid call the helper before resolving the
remote route.
The problem is there is no server/peer connection at all for a
transaction that has only been received and not yet processed by
Squid.
So to force it, i have added a "fake" acl
to force Squid to calculate the remote address.
acl fake_dst dst 127.0.0.2
http_access deny !fake_dst !MyGeopip_acl
But it failed too, the external_acl still receive the "-"
instead of the remote public IP address of the server
Aye. There is still no server.
All this dst ACL changed was that Squid knows a group of IPs it
*might* select from. The decision whether to use one of them (or
somewhere entirely different) has not yet been made, so there is
still no server.
The "%<a" displays the "last server or peer connection". It can
change when automated retries are done, and is "-" at all points
before any server contact.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
|
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
