Search squid archive

Re: Fwd: cache_peer_access by dynamic ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you very much for you answer and explanation 

Yep, I don’t use name “proxy” for annotations, it was just for example only . 

Bets regards!
Alexg



On Wed, 26 Apr 2023 at 18:34, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 4/26/23 08:08, Alexeyяр Gruzdov wrote:
> Oh... Looks like I just need to send as answer the list of my policy
> acl, for example
>
> user1 wanted to go over peer1 and peer3
> the answer from external script must be like  "OK proxy=peer1
> proxy=peer3"  and looks like it works well like I need. User will go
> over peer1 and peer3 only by round-robin.

Instead of sending N same-name annotations to Squid, please try sending
one annotation with a coma-separated list of N values:

     proxy=peer1,peer3,peer4

Rationale: Even if your current N-annotation setup "works", it is
essentially relying on undefined and/or questionable behavior that may
change. Using N-value annotations, you are avoiding that problem.

The "note" ACL has -m option that tells Squid to interpret the
annotation value as a list:

     acl cleared_for_peer1 note -m proxy peer1
     acl cleared_for_peer2 note -m proxy peer2
     ...


And, again, avoid using "proxy" as the annotation name: That name is
currently reserved for Squid own use. Use "proxy_" or any other name
ending with an underscore character. IMO, we should change the
policy/code to be more admin-friendly, but that change may not happen
for a long time, and modern Squids will warn you about reserved names
like "proxy":
https://github.com/squid-cache/squid/commit/27c36771bf145c2f8ca1efab6743b9e087867ab5


HTH,

Alex.


> ср, 26 апр. 2023 г. в 15:40, Alexeyяр Gruzdov:
>
>     Hello!
>     Yes!
>     Thank you!
>
>
>     One more question pls:
>
>     For example I have five of cache_peers and ACL associated  with some
>     cache peer.
>     As you know - I used the my external ACL script and now I can put
>     the policy to answer fo my script and squid will get an answer and
>     used the correct ACL for username.
>     For example answer is  "OK  proxy=peer1"  and user will be used the
>     cache_peer1, or if "OK proxy=all" and user will go over all of
>     cache_peers by round-robin.
>     All works well.
>     But how I can put something like a list of ACL for user ?  for
>     example  I want that some one user can go over peer1 and peer3 only,
>     by round robin, but will be denied over peer2. peer4, peer5. Of
>     course better using external ACL (as DB ). What do you think?
>
>
>
>
>
>
>     пн, 24 апр. 2023 г. в 18:07, Alex Rousskov
>     <rousskov@xxxxxxxxxxxxxxxxxxxxxxx
>     <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx>>:
>
>         On 4/23/23 14:28, Alexeyяр Gruzdov wrote:
>
>          > One more may be last thing:  - I found the strange behavior
>         - if I make
>          > changes at my ext ACL script (its python ) and then "squid -k
>          > reconfigure"  then I can see that my script appears in the
>         "TOP" of
>          > process and loads CPU to 100%
>
>         Check how your ACL script reacts to stdin closure/EOF. The
>         script should
>         quit but probably does not. Same for any stdin reading errors.
>         On EOF,
>         the script should use exit code zero. All these things are easy
>         to test
>         on the command line (without Squid).
>
>         Alex.
>
>          > вс, 23 апр. 2023 г. в 16:36, Amos Jeffries
>         <squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>
>          > <mailto:squid3@xxxxxxxxxxxxx <mailto:squid3@xxxxxxxxxxxxx>>>:
>          >
>          >     On 23/04/2023 5:27 pm, Alexeyяр Gruzdov wrote:
>          >      > Hello Guys!
>          >      > Thank you very much! For now all works like I needed!
>          >      >
>          >      > But I have an one more  questions about how I could to
>         use the
>          >     kv-pair:
>          >     ...
>          >      > and then ACL with “note proxy all “
>          >      > But how the kv-pair must to be looked for this my tag ?
>          >      >
>          >      > I have tried to get answer from my ext script like
>          >      > “OK”
>          >      > “proxy=all”
>          >      >
>          >      > But looks like it’s not correct
>          >      >
>          >
>          >     This part of the instructions were missed:
>          >
>         https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>
>          >   
>           <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols <https://wiki.squid-cache.org/Features/AddonHelpers#helper-protocols>>
>          >     "
>          >     For every line sent by Squid exactly one line is expected
>         back. Some
>          >     script language such as perl and python need to be
>         careful about the
>          >     number of newlines in their output.
>          >     "
>          >
>          >     If your helper received something like this (with concurrency
>          >     channel-id
>          >     "1"):
>          >
>          >        "1 bob 192.0.2.1"
>          >
>          >     It should produce a line like:
>          >         "1 OK proxy=all"
>          >
>          >     If no concurrency channel-id is received, then output is
>         the same but
>          >     without sending channel-id back and MUST be sent in same
>         order as
>          >     received.
>          >
>          >     I do recommend using concurrency. It can help further
>         debug issues with
>          >     helpers responding incorrectly.
>          >
>          >     HTH
>          >     Amos
>          >
>          >     _______________________________________________
>          >     squid-users mailing list
>          > squid-users@xxxxxxxxxxxxxxxxxxxxx
>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>          >     <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx
>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>>
>          > http://lists.squid-cache.org/listinfo/squid-users
>         <http://lists.squid-cache.org/listinfo/squid-users>
>          >     <http://lists.squid-cache.org/listinfo/squid-users
>         <http://lists.squid-cache.org/listinfo/squid-users>>
>          >
>          >
>          > _______________________________________________
>          > squid-users mailing list
>          > squid-users@xxxxxxxxxxxxxxxxxxxxx
>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>          > http://lists.squid-cache.org/listinfo/squid-users
>         <http://lists.squid-cache.org/listinfo/squid-users>
>
>         _______________________________________________
>         squid-users mailing list
>         squid-users@xxxxxxxxxxxxxxxxxxxxx
>         <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>
>         http://lists.squid-cache.org/listinfo/squid-users
>         <http://lists.squid-cache.org/listinfo/squid-users>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux