[squid-users] Squid 3 external ACL with tag=

From: Scott Horsley <scott.horsley_at_staff.netspace.net.au>
Date: Mon, 05 Jul 2010 11:24:47 +1000

Hi list,

This might be a trivial problem and Iım really hoping I have just overlooked
something rather silly that somebody else can spot.
I am experimenting with external ACL tags at present and have configured the
following acl line-up in my conf.

Comments above each line to get an understanding of what I am trying to
achieve.

# Force a situation where the helper is called
http_access deny password !tag_user
# Defined a matching tag
acl tag_group_blackwhite_b tag tag_group_blackwhite_b
# Allow access if the tag is defined
http_access allow password tag_group_blackwhite_b

Okay, so I should be allowing a user access based on them authenticating and
the tag_group_blackwhite_b tag being set.

My problem is that when trying this approach, I am seeing the following
result.

2010/07/05 10:58:13.930| externalAclLookup: lookup in 'tag_user' for
'user@10.0.0.6 http://foo.com/'
2010/07/05 10:58:13.930| aclmatchAclList: async=1 nodeMatched=0
async_in_progress=1 lastACLResult() = 0 finished() = 0
2010/07/05 10:58:13.931| commio_finish_callback: called for FD 17 (0, 0)
2010/07/05 10:58:13.931| comm_read_try: FD 17, size 8191, retval 30, errno 0
2010/07/05 10:58:13.931| commio_finish_callback: called for FD 17 (0, 0)
2010/07/05 10:58:13.931| helperHandleRead: end of reply found
2010/07/05 10:58:13.931| externalAclHandleReply: reply="OK
tag=tag_group_blackwhite_b"
2010/07/05 10:58:13.932| external_acl_cache_add: Adding 'user_at_10.0.0.6
http://foo.com/' = 1
2010/07/05 10:58:13.932| ACLChecklist::asyncInProgress: 0xc98ef8 async set
to 0
2010/07/05 10:58:13.932| ACLChecklist::preCheck: 0xc98ef8 checking
'http_access deny password !tag_user'
2010/07/05 10:58:13.932| ACLList::matches: checking password
2010/07/05 10:58:13.932| ACL::checklistMatches: checking 'password'
2010/07/05 10:58:13.932| ACL::ChecklistMatches: result for 'password' is 1
2010/07/05 10:58:13.932| ACLList::matches: checking !tag_user
2010/07/05 10:58:13.932| ACL::checklistMatches: checking 'tag_user'
2010/07/05 10:58:13.932| aclMatchExternal: tag_user check user
authenticated.
2010/07/05 10:58:13.932| aclMatchExternal: tag_user user is authenticated.
2010/07/05 10:58:13.932| aclMatchExternal: tag_user = 1
2010/07/05 10:58:13.932| ACL::ChecklistMatches: result for 'tag_user' is 1
2010/07/05 10:58:13.932| aclmatchAclList: 0xc98ef8 returning false (AND list
entry failed to match)
2010/07/05 10:58:13.932| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2010/07/05 10:58:13.932| ACLChecklist::preCheck: 0xc98ef8 checking
'http_access deny password tag_user_black'
2010/07/05 10:58:13.932| ACLList::matches: checking password
2010/07/05 10:58:13.932| ACL::checklistMatches: checking 'password'
2010/07/05 10:58:13.932| ACL::ChecklistMatches: result for 'password' is 1
2010/07/05 10:58:13.932| ACLList::matches: checking tag_user_black
2010/07/05 10:58:13.932| ACL::checklistMatches: checking 'tag_user_black'
2010/07/05 10:58:13.932| aclMatchStringList: checking
'tag_group_blackwhite_b'
2010/07/05 10:58:13.932| aclMatchStringList: 'tag_group_blackwhite_b' NOT
found
2010/07/05 10:58:13.932| ACL::ChecklistMatches: result for 'tag_user_black'
is 0
2010/07/05 10:58:13.932| aclmatchAclList: 0xc98ef8 returning false (AND list
entry failed to match)
2010/07/05 10:58:13.932| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0

The interesting lines are

externalAclHandleReply: reply="OK tag=tag_group_blackwhite_b"
which, if my understaning is correct, should have defined
tag_group_blackwhite_b.

and...

aclMatchStringList: 'tag_group_blackwhite_b' NOT found
ACL::ChecklistMatches: result for 'tag_user_black' is 0

Which is now telling me that the tag was not set.

Calling tag_user in the http_access line would clear this up but shouldnıt
the tag be present from the moment it is defined throughout the request? I
am trying to use this as a way to prevent lookups to the helper as much as
possible.

example: http_access allow password tag_user tag_group_blackwhite_b

Sorry if this is rather a silly question.

Scott

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed.
Please notify the sender immediately by email if you have received this
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation.
Finally, the recipient should check this email and any attachments for
the presence of viruses. The organisation accepts no liability for any
damage caused by any virus transmitted by this email.
Received on Mon Jul 05 2010 - 01:24:52 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 05 2010 - 12:00:05 MDT