Re: Squid 3 HEAD - ICAP Modifications

On Thu, 2006-12-14 at 11:04 -0500, Jeremy Hall wrote:

> I do have need of the %d construct that I formulated.

I only looked at squid.conf portion of your patch and did not notice the
%d substitution. My apologies. All useful substitutions should be
supported, of course!

> I am also
> formulating something with X-Authenticated-Groups that I got some
> recommendations from a vendor on how they want to see it. Should we use
> \n or %n for a newline character? I'm hoping for \n since that seems
> more intuitive,

Why do we need a newline character support? Is this for the HTTP/ICAP
linear white space (multiline header), for the end of the header value,
or for something inside the user name value?

> but the logic I wrote will need to be modified such that
> multiple %d, %u, and %n constructs might exist in the same uri.

Squid customized log format uses substitutions, right? Can we have a
single class that handles both cases? A simple single virtual method can
provide specific substitution values, or we may have a virtual method
for every substitution letter supported by some child (so that we can
have a [character->method] table.

The substitution code is relatively complex, low-level, error-prone, and
performance-sensitive so it would be nice to have a single
implementation that we can clean and optimize as time allows. This
approach may also help to have a configuration validator that checks at
Squid startup time that all used substitutions are actually supported.

Thank you,

Alex.

> >>> Alex Rousskov <rousskov@measurement-factory.com> 12/14/06 10:48 AM
> >>>
> On Thu, 2006-12-14 at 08:47 +0100, Axel Westerhold wrote:
>
> > There is one more change I am currently testing. The
> > problem with this patch:
> >
> > It does not follow any ICAP document but only enables squid to get
> rid of
> > the DOMAIN part frpm an NTLM Auth so I can use the result string as a
> query
> > on samaccountname. Would it be possible to add this too ?
>
> I assume we talking about modifying the authenticated client username,
> passed via the icap_client_username_header to the ICAP server.
>
> I believe the right thing to do here is similar to what Jeremy Hall
> did
> with the icap_auth_scheme in
> http://www.squid-cache.org/mail-archive/squid-dev/200611/0066.html
>
> I would suggest to add an "icap_authenticated_user_header_value"
> option
> that takes a string with the following supported substitutions:
>
> %U -- complete username, as is
> %N -- username without the domain part
> %% -- percent
>
> I think we do not need a default value here, but would not object to
> "Local://%U" if somebody insists on having a default.
>
> The current "icap_client_username_header" option should be renamed to
> "icap_authenticated_user_header_name".
>
> The current "icap_client_username_encode" option should be renamed to
> "icap_authenticated_user_header_encode". "On" should be the default, I
> guess.
>
> The three icap_authenticated_user_* options can be merged into one
> multivalued option:
> icap_authenticated_user_header [<name>":"] [<encoding>"("] <value>
> [")"]
>
> For example,
> icap_authenticated_user_header X-Authenticated-User:
> base64(Local://%U)
> or
> icap_authenticated_user_header identity(%N)
>
> Thank you,
>
> Alex.
>
> > Am 14.12.2006 6:25 Uhr schrieb "Alex Rousskov" unter
> > <rousskov@measurement-factory.com>:
> >
> > > On Mon, 2006-12-04 at 12:57 +0100, Axel Westerhold wrote:
> > >> Hi everyone,
> > >>
> > >> Second try this time hopefully complete.
> > >>
> > >> This is again patched against Squid 3 HEAD and includes 4 changes
> I would
> > >> like to have when working with webwasher/squid systems.
> > >>
> > >>
> > >> A.) ICAPServiceRep::TheSessionFailureLimit set through squid.conf
> > >> B.) ICAPServiceRep delay for a down service set through
> squid.conf
> > >> C.) Instead of hardcoding the Header used to transfer the username
> being
> > >> able to set the used one through squid.conf
> > >> D.) When using X-Authenticated-User in C I need the username to be
> base64
> > >> encoded so I added another option to turn on encoding if needed.
> > >
> > > The above changes, with minor modifications are now committed to
> > > squid3-icap branch. The corresponding patch is attached.
> > >
> > > I took the liberty to rename some of your new squid.conf options as
> well
> > > as polish squid.conf comments and code. A negative value for the
> > > icap_service_failure_limit disables the limit feature.
> > >
> > > Please test and let me know whether any further changes are
> needed.
> > >
> > > Thank you,
> > >
> > > Alex.
> > >
> >
Received on Thu Dec 14 2006 - 09:36:06 MST