Re: [squid-users] reply_body_max_size && external_acl from Amos Jeffries on 2012-06-12 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 12 Jun 2012 18:49:55 +1200

On 12/06/2012 4:15 p.m., Robert Gowty wrote:
> Hi Amos, I have been trying the reply_body_max_size without the !all as you
> suggest, however I get the same outcome - download sizes aren't being
> restricted. We have used this schema with other directives such as
> delay_pools with out any problems so we are fairly sure the external
> acl's are doing everything they should be doing. As I mentioned
> reply_body_max_size works as expected with other types of acl's such
> as the proxy_auth example, is does seem the reply_body_max_size and
> external acl's have a problem working together....any thoughts?

I just clicked .... the extern ACL parameter " cache=0 " means you are
not storing the external ACL results for later use by other access tests.
There is no way reply_body_max_size can re-run the helper lookup, so no
match. Remove that parameter and your TTL values will start to work.

Amos

>
> cheers
> Rob
>
> On 8 June 2012 17:41, Amos Jeffries wrote:
>> On 8/06/2012 4:50 p.m., Robert Gowty wrote:
>>> I am having problems getting an external acl to work with
>>> reply_body_max_size
>>> The steps I have taken are as follows:
>>> 1. Define the external_acl_type response_size_check_ext_acl_type
>>>
>>> # response_size_check_{pk}_acl pk
>>> external_acl_type response_size_check_ext_acl_type ttl=100
>>> negative_ttl=100 cache=0 children=2 concurrency=20 %EXT_TAG %EXT_LOG
>>> /usr/share/bin/ext_acl_payload_check -c 20 --key=response_size_restriction
>>>
>>> 2. Create a number of acl's using this type in squid.conf, for example,
>>> then applying it to reply_body_max_size
>>>
>>> acl response_size_13_acl external response_size_check_ext_acl_type 13
>>> http_reply_access allow response_size_13_acl !all
>>> reply_body_max_size 13 MB response_size_13_acl !all
>>
>> The purpose of the "!all" is to prevent the response_size_13_acl match
>> doing an allow. "!all" will always be a false/no-match.
>>
>> So... using it on reply_body_max_size has the same effect of making sure
>> that line is never used.
>>
>> What you need is this:
>>
>> http_reply_access allow response_size_13_acl !all
>> reply_body_max_size 13 MB response_size_13_acl
>>
>> Amos
>
>
>
> --
> Robert Gowty
> CTO
>
> Getbusi
> 1 College Road
> Sandy Bay, TAS, 7005.
>
> Phone: (03) 6226 6268
> www.getbusi.com
Received on Tue Jun 12 2012 - 06:50:08 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 14 2012 - 12:00:06 MDT