On 22/12/10 12:44, Nils Hügelmann wrote:
> Hi all,
>
> i have the following setup: [irrelevant parts left out]
>
> auth_param basic [...]
> external_acl_type premium children-startup=1 %LOGIN [...]
>
>
> acl premiumacl external premium
> acl authenticated proxy_auth REQUIRED
>
>
> #http_access allow premiumacl
> http_access allow authenticated
> http_access deny all
>
>
> delay_pools 2
> delay_class 1 4
> delay_class 2 4
>
> delay_parameters 1 -1/-1 -1/-1 -1/-1 2000/100000
> delay_access 1 deny premiumacl
> delay_access 1 allow authenticated
> delay_access 1 deny all
>
> delay_parameters 2 -1/-1 -1/-1 -1/-1 200000/10000000
> delay_access 2 allow premiumacl
> delay_access 2 deny all
>
>
> all users have to authenticate using the basic auth, and all users login
> names must be checked by the external_acl to determine the correct delay
> pool they belong to.
> Problem: it doesn't work in the above setup, although expected: all
> basic-authenticated users get the delay_pool 1, my external_acl helper
> is not queried.
>
> Only if i enable "http_access allow premiumacl" to make an unneccessary
> check for http_access,
> squid polls the external_acl and everything works fine..
>
> I'm not sure if this is a bug or something i don't understand yet,
> please help me:-)
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Fast_and_Slow_ACLs
external ACL is a "slow" group ACL and delay_access is a "FAST" group
access control directive.
You do need to add "http_access allow premiumacl" like you found. In
order to prevent it causing authentication challenges or affecting the
actual allow/deny you tack "!all" on the end:
http_access allow premiumacl !all
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.9 Beta testers wanted for 3.2.0.3Received on Wed Dec 22 2010 - 03:47:44 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 22 2010 - 12:00:03 MST