Re: Fwd: cache_peer_access by dynamic ACL

Alexeyяр Gruzdov <my.shellac@xxxxxxxxx> · Wed, 26 Apr 2023 19:33:52 +0500

Thank you very much for you answer and explanation 

Yep, I don’t use name “proxy” for annotations, it was just for example only . 

Bets regards!
Alexg

On Wed, 26 Apr 2023 at 18:34, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 4/26/23 08:08, Alexeyяр Gruzdov wrote:

> Oh... Looks like I just need to send as answer the list of my policy 

> acl, for example

> 

> user1 wanted to go over peer1 and peer3

> the answer from external script must be like  "OK proxy=peer1 

> proxy=peer3"  and looks like it works well like I need. User will go 

> over peer1 and peer3 only by round-robin.

Instead of sending N same-name annotations to Squid, please try sending 

one annotation with a coma-separated list of N values:

     proxy=peer1,peer3,peer4

Rationale: Even if your current N-annotation setup "works", it is 

essentially relying on undefined and/or questionable behavior that may 

change. Using N-value annotations, you are avoiding that problem.

The "note" ACL has -m option that tells Squid to interpret the 

annotation value as a list:

     acl cleared_for_peer1 note -m proxy peer1

     acl cleared_for_peer2 note -m proxy peer2

     ...

And, again, avoid using "proxy" as the annotation name: That name is 

currently reserved for Squid own use. Use "proxy_" or any other name 

ending with an underscore character. IMO, we should change the 

policy/code to be more admin-friendly, but that change may not happen 

for a long time, and modern Squids will warn you about reserved names 

like "proxy": 

https://github.com/squid-cache/squid/commit/27c36771bf145c2f8ca1efab6743b9e087867ab5

HTH,

Alex.

> ср, 26 апр. 2023 г. в 15:40, Alexeyяр Gruzdov:

> 

>     Hello!

>     Yes!

>     Thank you!

> 

> 

>     One more question pls:

> 

>     For example I have five of cache_peers and ACL associated  with some

>     cache peer.

>     As you know - I used the my external ACL script and now I can put

>     the policy to answer fo my script and squid will get an answer and

>     used the correct ACL for username.

>     For example answer is  "OK  proxy=peer1"  and user will be used the

>     cache_peer1, or if "OK proxy=all" and user will go over all of

>     cache_peers by round-robin.

>     All works well.

>     But how I can put something like a list of ACL for user ?  for

>     example  I want that some one user can go over peer1 and peer3 only,

>     by round robin, but will be denied over peer2. peer4, peer5. Of

>     course better using external ACL (as DB ). What do you think?

> 

> 

> 

> 

> 

> 

>     пн, 24 апр. 2023 г. в 18:07, Alex Rousskov

>     <rousskov@xxxxxxxxxxxxxxxxxxxxxxx

>     <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>>:

> 

>         On 4/23/23 14:28, Alexeyяр Gruzdov wrote:

> 

>          > One more may be last thing:  - I found the strange behavior 

>         - if I make

>          > changes at my ext ACL script (its python ) and then "squid -k

>          > reconfigure"  then I can see that my script appears in the

>         "TOP" of

>          > process and loads CPU to 100%

> 

>         Check how your ACL script reacts to stdin closure/EOF. The

>         script should

>         quit but probably does not. Same for any stdin reading errors.

>         On EOF,

>         the script should use exit code zero. All these things are easy

>         to test

>         on the command line (without Squid).

> 

>         Alex.

> 

>          > вс, 23 апр. 2023 г. в 16:36, Amos Jeffries

>         <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>

>          > <mailto:squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>>>:

>          >

>          >     On 23/04/2023 5:27 pm, Alexeyяр Gruzdov wrote:

>          >      > Hello Guys!

>          >      > Thank you very much! For now all works like I needed!

>          >      >

>          >      > But I have an one more  questions about how I could to

>         use the

>          >     kv-pair:

>          >     ...

>          >      > and then ACL with “note proxy all “

>          >      > But how the kv-pair must to be looked for this my tag ?

>          >      >

>          >      > I have tried to get answer from my ext script like

>          >      > “OK”

>          >      > “proxy=all”

>          >      >

>          >      > But looks like it’s not correct

>          >      >

>          >

>          >     This part of the instructions were missed:

>          >

>         https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>

>          >   

>           <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>>

>          >     "

>          >     For every line sent by Squid exactly one line is expected

>         back. Some

>          >     script language such as perl and python need to be

>         careful about the

>          >     number of newlines in their output.

>          >     "

>          >

>          >     If your helper received something like this (with concurrency

>          >     channel-id

>          >     "1"):

>          >

>          >        "1 bob 192.0.2.1"

>          >

>          >     It should produce a line like:

>          >         "1 OK proxy=all"

>          >

>          >     If no concurrency channel-id is received, then output is

>         the same but

>          >     without sending channel-id back and MUST be sent in same

>         order as

>          >     received.

>          >

>          >     I do recommend using concurrency. It can help further

>         debug issues with

>          >     helpers responding incorrectly.

>          >

>          >     HTH

>          >     Amos

>          >

>          >     _______________________________________________

>          >     squid-users mailing list

>          > squid-users@xxxxxxxxxxxxxxxxxxxxx

>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>

>          >     <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx

>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>

>          > http://lists.squid-cache.org/listinfo/squid-users

>         <http://lists.squid-cache.org/listinfo/squid-users>

>          >     <http://lists.squid-cache.org/listinfo/squid-users

>         <http://lists.squid-cache.org/listinfo/squid-users>>

>          >

>          >

>          > _______________________________________________

>          > squid-users mailing list

>          > squid-users@xxxxxxxxxxxxxxxxxxxxx

>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>

>          > http://lists.squid-cache.org/listinfo/squid-users

>         <http://lists.squid-cache.org/listinfo/squid-users>

> 

>         _______________________________________________

>         squid-users mailing list

>         squid-users@xxxxxxxxxxxxxxxxxxxxx

>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>

>         http://lists.squid-cache.org/listinfo/squid-users

>         <http://lists.squid-cache.org/listinfo/squid-users>

> 

> 

> _______________________________________________

> squid-users mailing list

> squid-users@xxxxxxxxxxxxxxxxxxxxx

> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users