Re: [squid-users] acl to allow sites on SQL or LDAP

From: Eliezer Croitoru <>
Date: Thu, 05 Jul 2012 04:19:25 +0300

On 7/4/2012 5:37 PM, Marcio Merlone wrote:
> Hi all,
> I am administering 3 squid 3.0.STABLE19-1ubuntu0.2 proxies on 3
> different sites, and managed to read group membership on LDAP using
> external_acl_type and squid_ldap_group without a problem. The last bit I
> need to make this a dream proxy cluster is also store the allowed sites
> on LDAP (preferably).
> I searched the net for something like this, but all I get is about user
> auth, nothing regarding allowed sites list. Can someone help me find the
> way for that, if any?
> Thanks in advance and best regards.
Hey there Marcio,

squid is loading the acls\rules at startup or reconfiguring.
there for using regular squid rules you can't use DB such as LDAP, mysql
or any other DB.(there are other open options)
i wouldn't recommend you to use LDAP as a DB for this kind of operation
because it's pretty slow for it.

the other options are: URL_REWRITE,ICAP,EXTERNAL_ACL.

i wrote a nice ICAP server that was meant to do url manipulation but
seems that it can do much more.
it uses MYSQL as temp DB to store and retrieve specific data on urls for
cache so it's MYSQL\PG\SQLITE\LDAP ready.

i am working now on effective way to add filtering mechanism into it.
i have basic model that works.
this model should be the same for filtering or as ACLS, you will just
need to change the destination page to any page you want like "porn is
not available right now please try this later at home" or other nice
pages you like.

if you are willing to do the testings with me and built some skeleton
for it to fit sysadmins i will be more then happy to work on it.
the basic "domain" match is pretty simple to implement and it's kind of
done already.

the next thing to be done is the dstdomain ".example.dom" joker.
about regex acls i will might use some other technique to load it from
DB into memory and only when the DB changed to update the regex into memory.

regex is a very slow acl and basically should be used wisely.

talk with me


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Thu Jul 05 2012 - 01:19:34 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 05 2012 - 12:00:02 MDT