[squid-users] External ACL tags from Steve Hill on 2014-07-28 (squid-users)

From: Steve Hill <steve_at_opendium.com>
Date: Mon, 28 Jul 2014 17:42:54 +0100

I'm trying to build ACLs based on the tags returned by an external ACL,
but I can't get it to work.

These are the relevant bits of my config:

external_acl_type preauth children-max=1 concurrency=100 ttl=0
negative_ttl=0 %SRC %>{User-Agent} %URI %METHOD /usr/sbin/squid-preauth
acl preauth external preauth
acl need_http_auth tag http_auth
http_access allow !tproxy !tproxy_ssl !https preauth
http_access allow !preauth_done preauth_tproxy
http_access allow proxy_auth postauth

I can see the external ACL is being called and setting various tags:

2014/07/28 17:29:40.634 kid1| external_acl.cc(1503) Start:
externalAclLookup: looking up for '2a00:1a90:5::14
Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in 'preauth'.
2014/07/28 17:29:40.634 kid1| external_acl.cc(1513) Start:
externalAclLookup: will wait for the result of '2a00:1a90:5::14
Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in
'preauth' (ch=0x7f1409a399f8).
2014/07/28 17:29:40.634 kid1| external_acl.cc(871) aclMatchExternal:
"2a00:1a90:5::14 Wget/1.12%20(linux-gnu)
http://nexusuk.org/%7Esteve/empty GET": return -1.
2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: preauth = -1
async
2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked:
http_access#7 = -1 async
2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: http_access
= -1 async
2014/07/28 17:29:40.635 kid1| external_acl.cc(1371)
externalAclHandleReply: reply={result=ERR, notes={message:
53d67a74$2a00:1a90:5::14$baa34e80d2d5fb2549621f36616dce9000767e93b6f86b5dc8732a8c46e676ff;
tag: http_auth; tag: cp_auth; tag: preauth_ok; tag: preauth_done; }}

But then when I test one of the tags, it seems that it isn't set:

2014/07/28 17:29:40.636 kid1| Acl.cc(157) matches: checking !preauth_done
2014/07/28 17:29:40.636 kid1| Acl.cc(157) matches: checking preauth_done
2014/07/28 17:29:40.636 kid1| StringData.cc(81) match:
aclMatchStringList: checking 'http_auth'
2014/07/28 17:29:40.636 kid1| StringData.cc(85) match:
aclMatchStringList: 'http_auth' NOT found
2014/07/28 17:29:40.636 kid1| Acl.cc(177) matches: checked: preauth_done = 0
2014/07/28 17:29:40.636 kid1| Acl.cc(177) matches: checked:
!preauth_done = 1

It looks to me like its probably only looking at the first tag that the
ACL returned - is this a known bug? I couldn't spot anything in Bugzilla.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com

Received on Mon Jul 28 2014 - 16:43:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 29 2014 - 12:00:05 MDT