On 2024-09-10 13:54, Carlos André wrote:
My "delay_class" simple DON'T with if I use a acl external (helper -
LDAP or winbind [ext_wbinfo_group_acl], same problem), delay_class work
ok using a acl proxy_auth or acl src.... but nothing with a external.
I believe your configuration is suffering from two semi-independent
problems:
Problem A:
External ACLs are so called "slow" or "asynchronous" ACLs. They should
not be used together with directives that do not support "slow" ACLs. It
is not explicitly documented, but delay_access directive does _not_
support slow ACLs AFAICT. It only supports "fast" ACLs.
N.B. Due to ACL caching side effects, using slow ACLs with directives
that do not support them may appear to "work" in certain cases, but it
is not supported and should not be relied upon.
I need to use external bcoz I use groups to specify Internet
speed/policy per user.
I recommend checking your Group_Internet ACL at http_access time instead
of delay_access time; http_access directive supports slow ACLs and
should be evaluated before delay_access is.
Use annotate_transaction or annotate_client ACLs to remember whether
Group_Internet ACL has matched at http_access evaluation time. Use a
"note" ACL to check whether those annotations have been set. The "note"
ACL is a "fast" ACL. annotate_transaction documentation in
squid.conf.documented has a relevant example. There are also potentially
relevant examples in bug #4993 report (among others):
https://bugs.squid-cache.org/show_bug.cgi?id=4993
Problem B:
2024/09/10 14:30:28 kid1| WARNING: Group_Internet ACL is used in context
without an ALE state. Assuming mismatch.
I have not checked carefully, but this could be a bug fixed in v6. The
corresponding commit says "delay_pool_access lacked ... details beyond
src/dst addresses".
Upgrade to v6+. If you are still getting a similar runtime WARNING, then
there is another Squid bug that needs to be fixed.
HTH,
Alex.
Bellow there my sample squid.conf:
================================================================
acl SSL_ports port 443 6443 8443 8080 8008
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_port 8080
cache_dir ufs /var/spool/squid 8192 32 128
coredump_dir /var/spool/squid
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
/etc/squid/HTTP.keytab -s HTTP/SERVER@xxxxxxxxx
auth_param negotiate children 20 startup=2 idle=2
external_acl_type AD ttl=360 children-startup=2 children-max=20
children-idle=2 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -Z -K -R -d
-h 192.168.0.10 -b "dc=realm,dc=lan" -D
"cn=squid,cn=Users,dc=realm,dc=lan" -w password1234 -f
"(&(cn=%u)(memberof=cn=%g,cn=Users,dc=realm,dc=lan))"
acl kerb-auth proxy_auth REQUIRED
acl Group_Internet external AD Internet_Access
acl User proxy_auth carlos@xxxxxxxxx
acl src_carlos_ip src 192.168.0.100
http_access allow Group_Internet # work!
http_access deny all
delay_pools 2
delay_class 1 2
delay_class 2 2
delay_parameters 1 4096000/4096000 2048000/2048000
delay_parameters 2 2048000/2048000 512000/512000
delay_access 1 allow Group_Internet # won't work (Squid ignore it and
pass to next delay_access)
#delay_access 1 allow User # work!
#delay_access 1 allow src_carlos_ip # work!
delay_access 1 deny all
delay_access 2 allow all
###############################################################
#
delay_access 1 allow Group_Internet # won't work (Squid ignore it and
pass to next delay_access)
#delay_access 1 allow User # work!
#delay_access 1 allow src_carlos_ip # work!
delay_access 1 deny all
#
delay_access 2 allow all
================================================================
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
