NetSnake wrote:
> You means I need set http_access allow all first?
> I tried that, but still no effect.
> Dose anybody have a simplest and good squid.conf configuration file
> with external_acl_type and cache_peer_access?
No I mean:
http_access deny ipaddress
or
http_access allow ipaddress
or some such blocking access checks that _uses_ the ipaddress ACL before
cache_peer_access gets it.
Amos
>
> thanks a lot.
>
>
> 2009/1/14 Amos Jeffries <squid3_at_treenet.co.nz>:
>> NetSnake wrote:
>>> Actually, I defined a cache_peer named host1 as this:
>>> cache_peer www.myhost.com parent 80 0 no-query no-digest originserver
>>> name=host1
>>>
>>> and I defined a ACL named ipaddress:
>>> acl ipaddress external checkip
>>>
>>> and then I defined the access rule, to deny access to hosts through my
>>> checkip script.
>>> cache_peer_access host1 deny ipaddress
>>>
>>> And I found my script is already running after squid is up, and it can
>>> write data to the file.
>>> But it like squid just start up my script, and never call it when a
>>> connection arraived.
>> cache_peer_access is a fast-ACL check. It cannot wait for delayed actions
>> such as remote helpers to reply.
>>
>> It's also only checked after the request has been accepted.
>> You need to use your ACL in an http_access line first. Which will check it
>> early, and cache the result long enough for the peer checks to use.
>>
>> Amos
>>
>>> BTW, No SELinux running on my box.
>>>
>>> thanks.
>>>
>>> 2009/1/14 Chris Robertson <crobertson_at_gci.net>:
>>>> NetSnake wrote:
>>>>> hi,all
>>>>> I want to use external_acl_type to distribute my user to different
>>>>> server, these user need NOT authentication.
>>>>> Squid start my application, but when I access to a special host, no
>>>>> data send to my program from Squid.
>>>>> my program is a very simple script, and when I use an existing
>>>>> application such as ip_user_check, still no actions.
>>>>> My squid configuration is:
>>>>> external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC
>>>>> /usr/local/squid/libexec/
>>>>> checkip.pl
>>>>> http_port 80 accel vhost vport
>>>>> cache_peer www.myhost.com parent 80 0 no-query no-digest originserver
>>>>> name=host1
>>>>> acl ipaddress external checkip
>>>>> cache_peer_access www deny ipaddress
>>>>>
>>>> There is no cache_peer defined as "www". There is one defined as
>>>> "www.myhost.com". Perhaps that's a typo in the obfuscation of your
>>>> squid.conf. Are you sure the checkip.pl script is runnable by the
>>>> squid_effective_user? Does /tmp/squid.log exists? If so, is it
>>>> writeable
>>>> by the squid_effective_user? Are you running SELinux or AppArmor?
>>>>
>>>>> ...
>>>>>
>>>>> My program is very simple:
>>>>> cat checkip.pl
>>>>> #!/usr/bin/perl
>>>>> $| = 1;
>>>>> open(LOG, ">/tmp/squid.log");
>>>>> print LOG "RUNNING\n";
>>>>> close(LOG);
>>>>> while(defined($line = <STDIN>)){
>>>>> print "OK\n";
>>>>> open(LOG, ">>/tmp/squid.log");
>>>>> print LOG "Got: $line\n";
>>>>> close(LOG);
>>>>> }
>>>>>
>>>>>
>>>>> So, I think that, is external_acl_type must under authentication mode?
>>>>>
>>>>> thanks in advance.
>>>>>
>>>> Chris
>>>>
>>
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
>> Current Beta Squid 3.1.0.3
>>
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3Received on Wed Jan 14 2009 - 03:37:41 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 14 2009 - 12:00:03 MST