I'm trying to implement an external ACL helper than does an ip address
to username lookup, but I'm having trouble with squid using an
external ACL helper in general. I'm running Squid 2.7.5 on FreeBSD
7.1. To rule out my custom written helper program as the culprit, I
created a basic external helper in perl that just looks like this:
#!/usr/bin/perl
while(<STDIN>) {
print STDOUT "OK\n";
}
I've simplified my previously complex squid.conf to the point where
there is very little left that is not commented out. The relevant
bits of squid.conf look like this:
external_acl_type IP-LOOKUP %SRC /usr/local/etc/squid/always-ok.pl
acl IP-TO-USER external IP-LOOKUP
acl WIRELESS-GUEST-NET src 10.15.5.0/255.255.255.0
http_access allow WIRELESS-GUEST-NET IP-TO-USER
http_reply_access allow WIRELESS-GUEST-NET IP-TO-USER
http_reply_access allow all
debug_options ALL,1 28,9 29,9 33,9 58,9 82,9
If I remove the "IP-TO-USER" acl from http_access and
http_reply_access then everything works. As soon as I add
"IP-TO-USER" to http_access, Squid will not send a reply back to the
client (verified with tcpdump on the server side and Wireshark on the
client side), nothing shows up in access.log, nothing shows up in
cache.log (without debugging turned on, but I get plenty of ACL
lookups with the debug_options line I have above). The client
eventually times out. I have also tried with and without the external
acl in "http_reply_access" based on other threads I have read on this
mailing list.
Here are the lines from cache.log regarding the external ACL when a
request is made using the above debug_options:
2009/02/10 16:05:30| aclCheck: checking 'http_access allow
WIRELESS-GUEST-NET IP-TO-USER'
2009/02/10 16:05:30| aclMatchAclList: checking WIRELESS-GUEST-NET
2009/02/10 16:05:30| aclMatchAcl: checking 'acl WIRELESS-GUEST-NET
src 10.15.5.0/255.255.255.0'
2009/02/10 16:05:30| aclMatchIp: '10.15.5.199' found
2009/02/10 16:05:30| aclMatchAclList: checking IP-TO-USER
2009/02/10 16:05:30| aclMatchAcl: checking 'acl IP-TO-USER external IP-LOOKUP'
2009/02/10 16:05:30| aclMatchExternal: acl="IP-LOOKUP"
2009/02/10 16:05:30| aclMatchExternal: IP-LOOKUP("10.15.5.199") =
lookup needed
2009/02/10 16:05:30| aclMatchAclList: no match, returning 0
2009/02/10 16:05:30| externalAclLookup: lookup in 'IP-LOOKUP' for
'10.15.5.199'
Why is it returning "no match" when the external ACL helper always
returns "OK"?
-- Chris Dillon - NetEng/SysAdm Reeds Spring R-IV School District Technology Department 175 Elementary Rd. Reeds Spring, MO 65737 Voice: 417-272-8266 Fax: 417-272-0015Received on Tue Feb 10 2009 - 22:07:39 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 11 2009 - 12:00:01 MST