Re: [squid-users] External ACL lookups always cause ACL no-match?

Chris Dillon wrote:
> I'm trying to implement an external ACL helper than does an ip address
> to username lookup, but I'm having trouble with squid using an
> external ACL helper in general. I'm running Squid 2.7.5 on FreeBSD
> 7.1. To rule out my custom written helper program as the culprit, I
> created a basic external helper in perl that just looks like this:
>

You are not flushing STDOUT.

> #!/usr/bin/perl
# Flush STDOUT
$|=1;
> while(<STDIN>) {
> print STDOUT "OK\n";
> }
>
> I've simplified my previously complex squid.conf to the point where
> there is very little left that is not commented out. The relevant
> bits of squid.conf look like this:
>
> external_acl_type IP-LOOKUP %SRC /usr/local/etc/squid/always-ok.pl
> acl IP-TO-USER external IP-LOOKUP
> acl WIRELESS-GUEST-NET src 10.15.5.0/255.255.255.0
> http_access allow WIRELESS-GUEST-NET IP-TO-USER
> http_reply_access allow WIRELESS-GUEST-NET IP-TO-USER
> http_reply_access allow all
> debug_options ALL,1 28,9 29,9 33,9 58,9 82,9
>
> If I remove the "IP-TO-USER" acl from http_access and
> http_reply_access then everything works. As soon as I add
> "IP-TO-USER" to http_access, Squid will not send a reply back to the
> client (verified with tcpdump on the server side and Wireshark on the
> client side), nothing shows up in access.log, nothing shows up in
> cache.log (without debugging turned on, but I get plenty of ACL
> lookups with the debug_options line I have above). The client
> eventually times out. I have also tried with and without the external
> acl in "http_reply_access" based on other threads I have read on this
> mailing list.
>
> Here are the lines from cache.log regarding the external ACL when a
> request is made using the above debug_options:
>
> 2009/02/10 16:05:30| aclCheck: checking 'http_access allow
> WIRELESS-GUEST-NET IP-TO-USER'
> 2009/02/10 16:05:30| aclMatchAclList: checking WIRELESS-GUEST-NET
> 2009/02/10 16:05:30| aclMatchAcl: checking 'acl WIRELESS-GUEST-NET
> src 10.15.5.0/255.255.255.0'
> 2009/02/10 16:05:30| aclMatchIp: '10.15.5.199' found
> 2009/02/10 16:05:30| aclMatchAclList: checking IP-TO-USER
> 2009/02/10 16:05:30| aclMatchAcl: checking 'acl IP-TO-USER external
> IP-LOOKUP'
> 2009/02/10 16:05:30| aclMatchExternal: acl="IP-LOOKUP"
> 2009/02/10 16:05:30| aclMatchExternal: IP-LOOKUP("10.15.5.199") =
> lookup needed

Translation: "We don't have a cached answer for the query 10.15.5.199,
so we'll have to ask the external helper.

> 2009/02/10 16:05:30| aclMatchAclList: no match, returning 0

Translation: "No match (in the cache), returning 0".

> 2009/02/10 16:05:30| externalAclLookup: lookup in 'IP-LOOKUP' for
> '10.15.5.199'

Translation: "Asking the external helper for an answer to the question
10.15.5.199".

And there the log stops. Squid is left waiting for an answer that is
stuck in the Perl line buffer.

>
> Why is it returning "no match" when the external ACL helper always
> returns "OK"?

Because the helper is not returning "OK". :o)

Chris
Received on Tue Feb 10 2009 - 23:41:58 MST