[squid-users] Re: External Helper Question. from Louis Gonzales on 2007-11-15 (squid-users)

From: Louis Gonzales <gonzales@dont-contact.us>
Date: Thu, 15 Nov 2007 23:15:12 -0500

Sorry List,
Resending without HTML.

Louis Gonzales wrote:
> Dist,
> Squid Version: 2.6.STABLE13
> OS: Solaris 10
> Compiled With:
>> configure options: '--prefix=/usr/local' '--enable-mempool-debug'
>> '--enable-xmalloc-statistics' '--enable-devpoll'
>> '--enable-storeio=ufs aufs' '--enable-icmp' '--enable-delay-pools'
>> '--enable-useragent-log' '--enable-referer-log' '--enable-ssl'
>> '--disable-http-violations' '--enable-large-cache-files'
>> '--enable-follow-x-forwarded-for' '--enable-auth=basic'
>> '--enable-basic-auth-helpers=LDAP'
>> '--enable-external-acl-helpers=ip_user ldap_group' '--with-pthreads'
>> '--with-aio' 'CC=/usr/sfw/bin/gcc'
> Integrations:
> OpenLDAP: 2.3.35
>
> Custom:
> External Helper PERL program call: external_acl_type eXhelperI
> children=20 %LOGIN %{HOST} /usr/local/etc/squid/eXhelperI.pl
>
> Question(on External Helper EH):
> The PERL EH connects to a postgresql database, and checks the
> LOGIN(user ID, like 'linuxlouis') and requested HOST(or internet
> domain, like www.yahoo.com), if the LOGIN/HOST tuple exist in the
> database, the EH returns "OK\n" - permit site - IF, they do not exist
> in the database, the EH returns "ERR\n" - deny site.
>
> When the webpage is fetched, usually it contains AD's or images that
> are not served from the HOST( like www.yahoo.com, has
> http//www.notyahoo.com/*.jpg files ) links as HREF tags in the main
> www.yahoo.com page. The result is that even though www.yahoo.com for
> LOGIN(linuxlouis) returns "OK\n" these extraneous sources of
> images/ad's etc, essentially get caught by Squid, due to the fact that
> probably the LOGIN/HOST(linuxlouis/www.notyahoo.com/some/image.jpg)
> will return ERR, because for linuxlouis, maybe we don't have
> www.notyahoo.com as a permissible site. Squid's behavior is for every
> HREF/URL embedded in the HTML content at a given site, Squid passes
> these also the EH to verify and rightly so...
>
> "The question" is there a way to permit all of these additional
> extraneous sources of images/ad's, as in, is there a way to tell
> squid, "check the external helper for the LOGIN/HOST(website), if
> permitted 'allow all content too?' Or perhaps, should I consider
> rather using a custom redirector?
>
> Any ideas would be great... thanks everyone!
>
Received on Thu Nov 15 2007 - 21:15:14 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST