Re: [squid-users] dansguardian as a patch for Squid

In message <04f501c0fbd8$a0fb37e0$0200a8c0@lifelesswks> you wrote:
[snip]
>
> hooks I can do... but there is a deep rewrite in progress as mentioned
> above to resolve some critical issues.
>

So I need to wait a bit then...

> > >
> > > I guess it's up to someone to go to the trouble to write the code...
> >
> > I'll go to the trouble, however, probably the best way would be if
> squid
> > provided an interface like a redirector, but have it maintain a pool
> of
> > processes that grown and shrink on demand as the blocking time for a
> filter
> > would be hugely greater than, say, squidGuard.
>
> The filter hooks allow content processing code to be inserted in-process
> with a state structure to handle all the code's persistent variables.
> Out-of-process processing of content is going to be much slower than
> in-process processing, but it is trivial to write a filter that utilises
> the squid helper "library" to manage a pool of external process's.
> Blocking I/O is not allowed inprocess, but squid has an async I/O
> framework, and filters are allowed to perfom external I/O using that
> async framework. (I.E. MYSQL lookups etc).

OK.

>
> > This I would be /VERY/ interested in and IMHO is a feature that is
> missing
> > from squid that would help people write nice filters very easily.
>
> There are example filters that can be used as templates in the CVS
> branch that has the filtering code in it. That should help.. :]

But you say it's not stable at the moment, so I should wait?

[snip]
>
> > So, squid authors, whaddya think? Would you like to discuss an
> interface
> > design?
>
> Sure. I'm not authoritative for the core authors though :]. However I
> _think_ I've done the most code in this area, so I'll ask that you have
> a _brief_ look at the existing hook style and pick up from there? Don't
> look too deep because the interface has changed slightly as I prepare
> the code for mainstream readiness.

Again it looks like I should wait a bit.

[snip]
>
> A filter-redirector would be a nasty way to do this :]. (See my
> in-process vs out-process comments above). However there is a draft for
> exactly this sort of process, iCAP, or an alternative CVP, and the same
> squid-side framework to allow in-process content processing, allows easy
> implementation of iCAP/CVP (that was one of the drivers :]). The nice
> thing about iCAP/CVP is that by integrating in a standard-based fashion,
> you will still be able to let users use other proxies. iCAP also has
> explicit optimisations to allow content processing to be aborted for a
> given response, removing the squid-dansguardian-squid loop after the
> first few k.

I've not heard of iCAP. I've only been developing for linux for 7 or 8
months now. I have a lot of gaps in my knowledge. I'll do as you say
and look at the archives for information, but some url would be handy.

>
> So the options for a squid-integrated dansguardian are:
> in-process patch (too time consuming, will need maintenance, harder to
> install)

No then.

> in-process "module" (should be fastest). (modules will have dlopen
> functionality at some point - no squid recompile needed).

Sounds good. Where can I get info and is this interface 'ready'?

> out-of-process, custom interface. (squid patch or module needed).

No then.

> out-of-process, iCAP/CVP. (squid that does iCAP/CVP needed)

Sounds easiest. But I think speed wins. We don't want squid slowing down
to an httpd's pace do we? ;)

-- 
Daniel Barron
(Visit http://dansguardian.org/ - True web content filtering for all)