Re: [squid-users] acl to allow sites on SQL or LDAP

From: Marcio Merlone <>
Date: Thu, 05 Jul 2012 09:10:54 -0300

Em 04-07-2012 22:19, Eliezer Croitoru escreveu:
> On 7/4/2012 5:37 PM, Marcio Merlone wrote:
>> I am administering 3 squid 3.0.STABLE19-1ubuntu0.2 proxies on 3
>> different sites, and managed to read group membership on LDAP using
>> external_acl_type and squid_ldap_group without a problem. The last bit I
>> need to make this a dream proxy cluster is also store the allowed sites
>> on LDAP (preferably).
>> I searched the net for something like this, but all I get is about user
>> auth, nothing regarding allowed sites list. Can someone help me find the
>> way for that, if any?
> squid is loading the acls\rules at startup or reconfiguring.
> there for using regular squid rules you can't use DB such as LDAP,
> mysql or any other DB.(there are other open options)
> i wouldn't recommend you to use LDAP as a DB for this kind of
> operation because it's pretty slow for it.
> the other options are: URL_REWRITE,ICAP,EXTERNAL_ACL.
Didn't know about ICAP. Sounds the way to go.

> i wrote a nice ICAP server that was meant to do url manipulation but
> seems that it can do much more.
> it uses MYSQL as temp DB to store and retrieve specific data on urls
> for cache so it's MYSQL\PG\SQLITE\LDAP ready.
> i am working now on effective way to add filtering mechanism into it.
> i have basic model that works.
> this model should be the same for filtering or as ACLS, you will just
> need to change the destination page to any page you want like "porn is
> not available right now please try this later at home" or other nice
> pages you like.
> if you are willing to do the testings with me and built some skeleton
> for it to fit sysadmins i will be more then happy to work on it.
Right now my needs are really basic, just a plain group+sites list
match. But the needs may grow as features become available. :)

> the basic "domain" match is pretty simple to implement and it's kind
> of done already.
That' it for now.

> the next thing to be done is the dstdomain ".example.dom" joker.
> about regex acls i will might use some other technique to load it from
> DB into memory and only when the DB changed to update the regex into
> memory.
> regex is a very slow acl and basically should be used wisely.
Does your project has a home-page? I'll be glad to test and help.

Marcio Merlone
Received on Thu Jul 05 2012 - 12:11:13 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 05 2012 - 12:00:02 MDT