[squid-users] Re: Squid and Splash page

I have these acl settings in my squid.conf

external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %>{X-MYAUTH}
/usr/local/bin/acexternal localhost
acl iceauth external acexternal
http_access allow iceauth
http_access deny all
 
I turned on debug mode and see the following message. I noticed that there
is a message (in red) saying that the externalAclLookup: no need to work...
This custom external acl program should return "OK", but because of "no
wait" situation, it get to the "http_access deny all" acl and the request
got denied

2011/12/28 21:54:38.052| ACL::checklistMatches: checking 'iceauth'
2011/12/28 21:54:38.052| aclMatchExternal:
acexternal("Basic%20bXlLZXk6bXlWYWx1ZQ==") = lookup needed
2011/12/28 21:54:38.052| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==":
entry=@0x23adf58, age=20
2011/12/28 21:54:38.052| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==":
queueing a call.
2011/12/28 21:54:38.052| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==":
return -1.
2011/12/28 21:54:38.052| ACL::ChecklistMatches: result for 'iceauth' is -1
2011/12/28 21:54:38.052| ACLList::matches: result is false
2011/12/28 21:54:38.052| aclmatchAclList: 0x23a5698 returning false (AND
list entry failed to match)
2011/12/28 21:54:38.052| ACLChecklist::asyncInProgress: 0x23a5698 async set
to 1
2011/12/28 21:54:38.052| externalAclLookup: lookup in 'acexternal' for
'Basic%20bXlLZXk6bXlWYWx1ZQ=='
2011/12/28 21:54:38.052| externalAclLookup: looking up for
'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal'.
2011/12/28 21:54:38.052| The AsyncCall SomeCommWriteHander constructed,
this=0x49f8e40 [call33951]
2011/12/28 21:54:38.052| comm_write: FD 13: sz 29: asynCall 0x49f8e40*1
2011/12/28 21:54:38.052| helperDispatch: Request sent to acexternal #1, 29
bytes
2011/12/28 21:54:38.052| externalAclLookup: no need to wait for the result
of 'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal' (ch=0x23a5698).
2011/12/28 21:54:38.052| externalAclLookup: using cached entry 0x23adf58
2011/12/28 21:54:38.052| externalAclLookup: entry = { date=1325109258,
result=1, user= tag= log=myKey }
2011/12/28 21:54:38.052| ACLChecklist::asyncInProgress: 0x23a5698 async set
to 0
2011/12/28 21:54:38.052| aclmatchAclList: async=1 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2011/12/28 21:54:38.052| ACLChecklist::preCheck: 0x23a5698 checking
'http_access deny all'
2011/12/28 21:54:38.052| ACLList::matches: checking all
2011/12/28 21:54:38.052| ACL::checklistMatches: checking 'all'
2011/12/28 21:54:38.052| aclIpMatchIp: '99.139.51.143:50924' found
2011/12/28 21:54:38.052| ACL::ChecklistMatches: result for 'all' is 1
2011/12/28 21:54:38.052| ACLList::matches: result is true
2011/12/28 21:54:38.052| aclmatchAclList: 0x23a5698 returning true (AND list
satisfied)
2011/12/28 21:54:38.052| ACLChecklist::markFinished: 0x23a5698 checklist
processing finished
2011/12/28 21:54:38.052| ACLChecklist::check: 0x23a5698 match found, calling
back with 0
2011/12/28 21:54:38.052| ACLFilledChecklist::checkCallback: 0x23a5698
answer=0
2011/12/28 21:54:38.052| ACLChecklist::checkCallback: 0x23a5698 answer=0
2011/12/28 21:54:38.052| The request GET
http://ads.cnn.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=300x250_rgt&cnn_rollup=homepage&page.allowcompete=no&params.styles=fs&Params.User.UserID=4ec9e30a00bda60a3d146c5688a5565b&transactionID=3837608671874259&tile=1217729015231&domId=263095
is DENIED, because it matched 'all'

===========
Then I played around the acl and have the following setup using "deny !"
instead of "allow" on iceauth. But then I need to use "allow all" instead of
"deny all"...

external_acl_type acexternal children=50 ttl=60 negative_ttl=1 %>{X-MYAUTH}
/usr/local/bin/acexternal localhost
acl iceauth external acexternal
http_access deny !iceauth
http_access allow all

I noticed that in the debug message, the same "no wait" message above turned
into a "will wait" situation (see below message in red). Since it waits, it
got "OK" returned from the custom acl program.
It seems works for what I need but I need to use "allow all" that I don't
really like.

2011/12/29 22:41:01.847| aclMatchExternal:
acexternal("Basic%20bXlLZXk6bXlWYWx1ZQ==") = lookup needed
2011/12/29 22:41:01.847| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==":
entry=@0xd56828, age=26
2011/12/29 22:41:01.847| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==":
queueing a call.
2011/12/29 22:41:01.847| aclMatchExternal: "Basic%20bXlLZXk6bXlWYWx1ZQ==":
return -1.
2011/12/29 22:41:01.847| ACL::ChecklistMatches: result for 'iceauth' is -1
2011/12/29 22:41:01.847| ACLList::matches: result is false
2011/12/29 22:41:01.847| aclmatchAclList: 0xe09f38 returning false (AND list
entry failed to match)
2011/12/29 22:41:01.847| ACLChecklist::asyncInProgress: 0xe09f38 async set
to 1
2011/12/29 22:41:01.847| externalAclLookup: lookup in 'acexternal' for
'Basic%20bXlLZXk6bXlWYWx1ZQ=='
2011/12/29 22:41:01.847| externalAclLookup: looking up for
'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal'.
2011/12/29 22:41:01.847| The AsyncCall SomeCommWriteHander constructed,
this=0xe6dd80 [call25811]
2011/12/29 22:41:01.847| comm_write: FD 13: sz 29: asynCall 0xe6dd80*1
2011/12/29 22:41:01.847| helperDispatch: Request sent to acexternal #1, 29
bytes
2011/12/29 22:41:01.847| externalAclLookup: will wait for the result of
'Basic%20bXlLZXk6bXlWYWx1ZQ==' in 'acexternal' (ch=0xe09f38).
2011/12/29 22:41:01.847| aclmatchAclList: async=1 nodeMatched=0
async_in_progress=1 lastACLResult() = 0 finished() = 0
2011/12/29 22:41:01.847| client_side.cc(2297) connNoteUseOfBuffer:
conn->in.notYetUsed = 0
2011/12/29 22:41:01.847| clientReadSomeData: FD 12: reading request...
2011/12/29 22:41:01.847| The AsyncCall ConnStateData::clientReadRequest
constructed, this=0xeadcf0 [call25812]
2011/12/29 22:41:01.847| comm_read, queueing read for FD 12; asynCall
0xeadcf0*1
2011/12/29 22:41:01.847| ConnStateData status out: [ job2322]
2011/12/29 22:41:01.847| leaving ConnStateData::clientReadRequest(FD 12,
data=0xd89938, size=1377, buf=0xd88dd4)
2011/12/29 22:41:01.847| commHandleWrite: FD 13: off 0, sz 29.
2011/12/29 22:41:01.848| commHandleWrite: write() returns 29
2011/12/29 22:41:01.848| commio_finish_callback: called for FD 13 (0, 0)
2011/12/29 22:41:01.848| comm.cc(165) will call SomeCommWriteHander(FD 13,
data=0xb1fd48, size=29, buf=0xf42980) [call25811]
2011/12/29 22:41:01.848| entering SomeCommWriteHander(FD 13, data=0xb1fd48,
size=29, buf=0xf42980)
2011/12/29 22:41:01.848| AsyncCall.cc(32) make: make call
SomeCommWriteHander [call25811]
2011/12/29 22:41:01.848| leaving SomeCommWriteHander(FD 13, data=0xb1fd48,
size=29, buf=0xf42980)
2011/12/29 22:41:01.848| comm_read_try: FD 13, size 8191, retval 13, errno 0
2011/12/29 22:41:01.848| commio_finish_callback: called for FD 13 (0, 0)
2011/12/29 22:41:01.848| comm.cc(165) will call SomeCommReadHandler(FD 13,
data=0xb1fd48, size=13, buf=0xb1fe10) [call25764]
2011/12/29 22:41:01.848| entering SomeCommReadHandler(FD 13, data=0xb1fd48,
size=13, buf=0xb1fe10)
2011/12/29 22:41:01.848| AsyncCall.cc(32) make: make call
SomeCommReadHandler [call25764]
2011/12/29 22:41:01.848| helperHandleRead: 13 bytes from acexternal #1
2011/12/29 22:41:01.848| helperHandleRead: end of reply found
2011/12/29 22:41:01.848| externalAclHandleReply: reply="OK log=myKey"
2011/12/29 22:41:01.848| external_acl_cache_add: Adding
'Basic%20bXlLZXk6bXlWYWx1ZQ==' = 1
2011/12/29 22:41:01.848| ExternalACLEntry::update: updating existing entry
2011/12/29 22:41:01.848| ACLChecklist::asyncInProgress: 0xe09f38 async set
to 0
2011/12/29 22:41:01.848| ACLChecklist::preCheck: 0xe09f38 checking
'http_access deny !iceauth'
2011/12/29 22:41:01.848| ACLList::matches: checking !iceauth
2011/12/29 22:41:01.848| ACL::checklistMatches: checking 'iceauth'
2011/12/29 22:41:01.848| Ming:aclMatchExternal: not ours entryKey="0xcf7d10"
2011/12/29 22:41:01.848| aclMatchExternal: acexternal = 1
2011/12/29 22:41:01.848| ACL::ChecklistMatches: result for 'iceauth' is 1
2011/12/29 22:41:01.848| ACLList::matches: result is false

- Can you please explain why there is a "no wait" in the 1st setup, but
"will wait" in the 2nd setup?
- I don't want to use "allow all". is there any better way to set the acl to
serve my need?
- Any feedback will be greatly appreciated.

Ming

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-and-Splash-page-tp3473302p4245032.html
Sent from the Squid - Users mailing list archive at Nabble.com.