Re: [squid-users] acl to allow sites on SQL or LDAP

From: Eliezer Croitoru <>
Date: Thu, 05 Jul 2012 19:55:14 +0300

On 7/5/2012 3:10 PM, Marcio Merlone wrote:
> Em 04-07-2012 22:19, Eliezer Croitoru escreveu:
>> the other options are: URL_REWRITE,ICAP,EXTERNAL_ACL.
> Didn't know about ICAP. Sounds the way to go.

>> if you are willing to do the testings with me and built some skeleton
>> for it to fit sysadmins i will be more then happy to work on it.
> Right now my needs are really basic, just a plain group+sites list
> match. But the needs may grow as features become available. :)
well squid and ICAP dose have "icap_client_username_header
that allows to ICAP server identify the user and based on that the group
but i will need to do some coding to fetch the user filtering group.
i dont know we but if a ldap user is in more then one group it will need
some more coding and database structure plans.
so if you or anyone reading this have some idea on how implement the
database\table structure to fit multiple groups i'm reading.

i do have one idea but it was ment for filtering and not for group acls:
use filtering levels\weight (numbered) like:
#csv format: domain, weigth, 100, 20, 10, 40
#end of csc
i dont have have sites in my mind but like a "category" that allowed or
using numbers can benefit the lookup speed in mysql as a base index for
acl match.

if you have lists of sites to allow or deny for a group it will give me
some grounds to think of options.

>> the basic "domain" match is pretty simple to implement and it's kind
>> of done already.
> That' it for now.

ok i have implemented the basic fastest dstdomain acl match method i was
thinking of so we can use either an exact match or a domain wildcard.

>> the next thing to be done is the dstdomain ".example.dom" joker.
>> about regex acls i will might use some other technique to load it from
>> DB into memory and only when the DB changed to update the regex into
>> memory.
>> regex is a very slow acl and basically should be used wisely.
> Does your project has a home-page? I'll be glad to test and help.
i'm using github to host the stable code:
i didnt released yet any code regarding the filtering mechanism because
it's not polished and messy with notes in it.
i wrote it in ruby.
my TODO list for the project is:
polish the basic mysql\pgsql\mssql\sqlite\ldap simple interface for
usage in the server for queries.
polish my "cache" module.
polish the dstdomain matcher.
ADDED now:write user related code to match a mysql simple userdb.
        write some user code related to ldap users and groups.

i will be glad if you will be able to write a class with couple specific
methods to find a user\group(match) in ldap.

i think i will write some basic html file on the project.


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Thu Jul 05 2012 - 16:55:25 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 06 2012 - 12:00:01 MDT