Re: [squid-users] Problem using external acl with tcp_outgoing_address

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 11 May 2009 01:36:46 +1200

Adam wrote:
> Hello
> I have simple external perl helper program
>
> #!/usr/bin/perl
> $| = 1;
> open(LOG, ">/tmp/squid.log");
> print LOG "RUNNING\n";
> close(LOG);
> while(defined($line = <STDIN>)){
> print "OK\n";
> open(LOG, ">>/tmp/squid.log");
> print LOG "Got: $line\n";
> close(LOG);
> }
>
> It should always returns OK
> -------
> In squid.conf there is external_acl_type definition
>
> external_acl_type testacl ttl=0 children=1 %SRC /usr/bin/test.pl
> acl testacl_ext external testacl
>
> It works fine with http_acces
>
> http_access allow testacl_ext
> -------
> 2009/05/10 15:17:36.382| ACLChecklist::preCheck: 0xa295d50 checking
> 'http_access allow testacl_ext'
> 2009/05/10 15:17:36.382| ACLList::matches: checking testacl_ext
> 2009/05/10 15:17:36.383| ACL::checklistMatches: checking 'testacl_ext'
> 2009/05/10 15:17:36.383| aclMatchExternal: acl="testacl"
> 2009/05/10 15:17:36.383| cbdWhataReferenceValid: 0xa2a1f98
> 2009/05/10 15:17:36.383| cbdataUnlock: 0xa2a1f98=0
> 2009/05/10 15:17:36.383| aclMatchExternal: testacl = 1
> 2009/05/10 15:17:36.383| ACL::ChecklistMatches: result for 'testacl_ext'
> is 1
> 2009/05/10 15:17:36.383| ACLList::matches: result is true
> -------
> BUT when this acl is invoked from tcp_outgoing_address
>
> tcp_outgoing_address 10.10.12.12 testacl_ext
> -------
> 2009/05/10 15:19:48.406| ACLList::matches: checking testacl_ext
> 2009/05/10 15:19:48.406| ACL::checklistMatches: checking 'testacl_ext'
> 2009/05/10 15:19:48.406| aclMatchExternal: acl="testacl"
> 2009/05/10 15:19:48.407| aclMatchExternal: testacl("127.0.0.1") = lookup
> needed
> 2009/05/10 15:19:48.407| aclMatchExternal: "127.0.0.1": entry=@0, age=0
> 2009/05/10 15:19:48.407| aclMatchExternal: "127.0.0.1": queueing a call.
> 2009/05/10 15:19:48.407| aclMatchExternal: "127.0.0.1": return -1.
> 2009/05/10 15:19:48.407| ACL::ChecklistMatches: result for 'testacl_ext'
> is -1
> 2009/05/10 15:19:48.407| ACLList::matches: result is false
> --------
>
> it just like not executing helper and returns false everytime
>
> So please anybody ! Help me :D

The *_access lines are broken down into two groups:

  - Slow - are able to spend some time waiting for a result. These can
do external lookups, auth etc.

  - Fast - must return a result immediately. No delays are acceptable.
Only connection-related or pre-cached data are usable.

Selection of the outgoing IP is a 'fast' type.

You will need to cache the helper lookup for some time (ttl= ,
negative_ttl=) and perform its test in a slow Access control , such as
http_access before it can be used in tcp_outgoing_address.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.7
Received on Sun May 10 2009 - 13:36:55 MDT

This archive was generated by hypermail 2.2.0 : Mon May 11 2009 - 12:00:01 MDT