Re: [squid-users] ICAP and "selecting" corresponding adaption_access for response via ACL based on the original destination domain

On 03/01/2013 07:52 AM, Martin Sperl wrote:

> As you have mentioned, adding the acls based on unmodified requests would be helpful...

I did not mention that (not intentionally anyway). While it would be
possible to nearly double the number of ACLs (or introduce more ACL
scopes) so that the new ones can apply to virgin messages, I do not
think it is such a good idea because

a) in most cases the entire virgin message header is not important --
the admin just needs a way to remember some decision based on that
header -- and that is what annotations are designed to do

b) when multiple message adaptations are applied, there is more than
just virgin and adapted headers: there is a virgin header, an adapted by
service1 header, an adapted by service2 header, and the final header
adapted by service3.

> As for notes/annotations - the man pages do not mention any of this
> at least in "acl" (http://www.squid-cache.org/Doc/config/acl/).

True, but they do exist in various stages of acceptance and development.
The "note" directive is in the v3.3 branch (I did not check whether it
was released in v3.3.1 but it should be in the daily snapshots) and the
"note" ACL patch got stuck, waiting for squid-dev consensus on how to
fix the underlying annotation code.

> Also
> there would be the need to allow to set/modify those notes from the
> config (similar to request_header_access/rewrite)

Exactly. That is what the "note" directive does, but it is currently not
flexible enough because it is only applied before transaction logging.

Cheers,

Alex.

> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov_at_measurement-factory.com]
> Sent: Freitag, 01. März 2013 00:37
> To: Martin Sperl
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] ICAP and "selecting" corresponding adaption_access for response via ACL based on the original destination domain
>
> On 02/28/2013 08:32 AM, Martin Sperl wrote:
>
>> Is there another acltype besides "dstdomain" to match on the
>> unmodified dstdomain instead of the icap-request modified dstdomain?
>
> AFAIK, no.
>
>
>> As a workaround: do I need to set an additional header (via
>> header_access/header_replace or similar) and trigger on this acl
>> (acl ... req_header <headername>) instead of modify_response_a?
>
> Your ICAP service can add that HTTP request header while rewriting the
> request. You may even be able to then filter it out on the way from
> Squid using request_header_access, but whether that will delete it from
> the request that Squid remembers needs to be checked/tested.
>
>
>> Other ideas?
>
> What you may want is annotations that can be set by the ICAP service in
> ICAP response headers, without modifying the HTTP request header. Those
> annotations can then be matched using a "note" ACL. eCAP can do
> something like that already, but I think that Squid ICAP code lacks the
> necessary glue. Eventually, somebody will probably add it.
>
> If you use external helpers for something, they can add annotations as
> well (v3.3?).
>
> Similarly, the "note" option can be enhanced to work before logging.
> This way, the annotations can be added in squid.conf directly.
>
> Or one could add an "such and such adaptation service was used" ACL. It
> would be handy in several use cases.
>
> There are probably other options as well.
>
>
> HTH,
>
> Alex.
>
>
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
> you may review at http://www.amdocs.com/email_disclaimer.asp
>
Received on Fri Mar 01 2013 - 16:33:40 MST