Re: [squid-users] request_header_access and external acl

From: Tucker Cunningham <tucker_at_intapp.com>
Date: Thu, 12 Mar 2009 00:26:28 -0700

Thanks for the reply, Amos. I'm on version 3.0.STABLE13. If I use the
external acl with http_access, I've dumped the input to the helper
program and seen that the cert info is being correctly passed in. The
problem only seems to occur when using the external acl in conjunction
with request_header_access. Does that sound like a manifestation of
the same bug? The patch looks like it mostly addresses config file
parsing, which seems to be working for me.

Again, thanks for your help. I'm relatively new to working with squid,
so just figuring out a lot of this stuff. One thing that may or may not
be important is that I'm running an 'accel' server, not a conventional
proxy. Not sure if it's important, but I guess some things work
differently in this configuration.

-tucker

Amos Jeffries wrote:
>
> > hello all -
> > I've run into some trouble using the request_header_access directive
> > with an external acl. A snippet of my config file is below:
> >
> > -----
> > external_acl_type check_clientcert children=1 concurrency=0 ttl=3
> > negative_ttl=3 %USER_CERT_CN /etc/squid3/helper.pl
> > acl matches-clienttest-cert-name external check_clientcert
> > clienttest-cert-name
> >
> > #http_access allow matches-clienttest-cert-name
> > #http_access deny all
> > request_header_access User-Agent deny matches-clienttest-cert-name
> > ------
> >
> > If i uncomment the http_access lines, i am only granted access if i
> > present the correct client certificate, so the external acl seems to be
> > configured correctly. I also see lines like
> >
> > -----
> > 2009/03/11 14:12:54.243| helperDispatch: Request sent to
> > check_clientcert #1, 14 bytes
> > 2009/03/11 14:12:54.243| helperSubmit: - clienttest-cert-name
> > -----
> >
> > in the output of squid -X. However, when I run squid with the config
> > file above, the User-Agent header is not removed, and I see no
> > "helperDispatch" or "helperSubmit" in the log output. Can anyone shed
> > some light on why external acls may not be invoked this way?
> >
> >
> > Taking a step back, my larger goal is to run an https accelerator which
> > accepts client-certificate authenticated requests and passes information
> > about the client cert to the origin server. My idea right now is to put
> > the client certificate CN into the User-Agent header, but if anyone has
> > a better idea, my current solution seems pretty hacked together. Thanks
> > for your help.
> >
> > -tucker cunningham
> >
>
> What version of Squid?
>
> 3.x has a small glitch parsing of CERT info.
>
> http://www.squid-cache.org/Versions/v3/3.1/changesets/b9429.patch
>
>
>
> Amos
>
Received on Thu Mar 12 2009 - 07:27:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 12 2009 - 12:00:02 MDT