Re: [squid-users] External ACL tags from Amos Jeffries on 2014-07-28 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 29 Jul 2014 17:37:35 +1200

On 29/07/2014 4:42 a.m., Steve Hill wrote:
>
> I'm trying to build ACLs based on the tags returned by an external ACL,
> but I can't get it to work.
>
> These are the relevant bits of my config:
>
> external_acl_type preauth children-max=1 concurrency=100 ttl=0
> negative_ttl=0 %SRC %>{User-Agent} %URI %METHOD /usr/sbin/squid-preauth
> acl preauth external preauth
> acl need_http_auth tag http_auth
> http_access allow !tproxy !tproxy_ssl !https preauth
> http_access allow !preauth_done preauth_tproxy
> http_access allow proxy_auth postauth
>
>
>
> I can see the external ACL is being called and setting various tags:
>
> 2014/07/28 17:29:40.634 kid1| external_acl.cc(1503) Start:
> externalAclLookup: looking up for '2a00:1a90:5::14
> Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in
> 'preauth'.
> 2014/07/28 17:29:40.634 kid1| external_acl.cc(1513) Start:
> externalAclLookup: will wait for the result of '2a00:1a90:5::14
> Wget/1.12%20(linux-gnu) http://nexusuk.org/%7Esteve/empty GET' in
> 'preauth' (ch=0x7f1409a399f8).
> 2014/07/28 17:29:40.634 kid1| external_acl.cc(871) aclMatchExternal:
> "2a00:1a90:5::14 Wget/1.12%20(linux-gnu)
> http://nexusuk.org/%7Esteve/empty GET": return -1.
> 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: preauth = -1
> async
> 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked:
> http_access#7 = -1 async
> 2014/07/28 17:29:40.634 kid1| Acl.cc(177) matches: checked: http_access
> = -1 async
> 2014/07/28 17:29:40.635 kid1| external_acl.cc(1371)
> externalAclHandleReply: reply={result=ERR, notes={message:
> 53d67a74$2a00:1a90:5::14$baa34e80d2d5fb2549621f36616dce9000767e93b6f86b5dc8732a8c46e676ff;
> tag: http_auth; tag: cp_auth; tag: preauth_ok; tag: preauth_done; }}

Hi Steve,
This is how tag= keys were originally designed to work. Only to allow
one tag to be assigned to any HTTP transaction. The tag type ACL and
%EXT_TAG configurations still operate that way.

The "note" ACL type should match against values in the tag key name same
as any other annotation. If that does not work try a different key name
than "tag=".

Amos
Received on Tue Jul 29 2014 - 05:37:48 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 29 2014 - 12:00:05 MDT