On 4/26/23 08:08, Alexeyяр Gruzdov wrote:
Oh... Looks like I just need to send as answer the list of my policy
acl, for example
user1 wanted to go over peer1 and peer3
the answer from external script must be like "OK proxy=peer1
proxy=peer3" and looks like it works well like I need. User will go
over peer1 and peer3 only by round-robin.
Instead of sending N same-name annotations to Squid, please try sending
one annotation with a coma-separated list of N values:
proxy=peer1,peer3,peer4
Rationale: Even if your current N-annotation setup "works", it is
essentially relying on undefined and/or questionable behavior that may
change. Using N-value annotations, you are avoiding that problem.
The "note" ACL has -m option that tells Squid to interpret the
annotation value as a list:
acl cleared_for_peer1 note -m proxy peer1
acl cleared_for_peer2 note -m proxy peer2
...
And, again, avoid using "proxy" as the annotation name: That name is
currently reserved for Squid own use. Use "proxy_" or any other name
ending with an underscore character. IMO, we should change the
policy/code to be more admin-friendly, but that change may not happen
for a long time, and modern Squids will warn you about reserved names
like "proxy":
https://github.com/squid-cache/squid/commit/27c36771bf145c2f8ca1efab6743b9e087867ab5
HTH,
Alex.
ср, 26 апр. 2023 г. в 15:40, Alexeyяр Gruzdov:
Hello!
Yes!
Thank you!
One more question pls:
For example I have five of cache_peers and ACL associated with some
cache peer.
As you know - I used the my external ACL script and now I can put
the policy to answer fo my script and squid will get an answer and
used the correct ACL for username.
For example answer is "OK proxy=peer1" and user will be used the
cache_peer1, or if "OK proxy=all" and user will go over all of
cache_peers by round-robin.
All works well.
But how I can put something like a list of ACL for user ? for
example I want that some one user can go over peer1 and peer3 only,
by round robin, but will be denied over peer2. peer4, peer5. Of
course better using external ACL (as DB ). What do you think?
пн, 24 апр. 2023 г. в 18:07, Alex Rousskov
<rousskov@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>>:
On 4/23/23 14:28, Alexeyяр Gruzdov wrote:
> One more may be last thing: - I found the strange behavior
- if I make
> changes at my ext ACL script (its python ) and then "squid -k
> reconfigure" then I can see that my script appears in the
"TOP" of
> process and loads CPU to 100%
Check how your ACL script reacts to stdin closure/EOF. The
script should
quit but probably does not. Same for any stdin reading errors.
On EOF,
the script should use exit code zero. All these things are easy
to test
on the command line (without Squid).
Alex.
> вс, 23 апр. 2023 г. в 16:36, Amos Jeffries
<squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>
> <mailto:squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>>>:
>
> On 23/04/2023 5:27 pm, Alexeyяр Gruzdov wrote:
> > Hello Guys!
> > Thank you very much! For now all works like I needed!
> >
> > But I have an one more questions about how I could to
use the
> kv-pair:
> ...
> > and then ACL with “note proxy all “
> > But how the kv-pair must to be looked for this my tag ?
> >
> > I have tried to get answer from my ext script like
> > “OK”
> > “proxy=all”
> >
> > But looks like it’s not correct
> >
>
> This part of the instructions were missed:
>
https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>
>
<https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>>
> "
> For every line sent by Squid exactly one line is expected
back. Some
> script language such as perl and python need to be
careful about the
> number of newlines in their output.
> "
>
> If your helper received something like this (with concurrency
> channel-id
> "1"):
>
> "1 bob 192.0.2.1"
>
> It should produce a line like:
> "1 OK proxy=all"
>
> If no concurrency channel-id is received, then output is
the same but
> without sending channel-id back and MUST be sent in same
order as
> received.
>
> I do recommend using concurrency. It can help further
debug issues with
> helpers responding incorrectly.
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>
> http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
> <http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
> http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
<mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
