Re: [squid-users] Is external_acl_type must under authentication mode?

From: NetSnake <netsnakecn_at_gmail.com>
Date: Wed, 14 Jan 2009 14:29:11 +0800

I add http_access before my cache_peer_access, no effect.

2009/1/14 Amos Jeffries <squid3_at_treenet.co.nz>:
> NetSnake wrote:
>>
>> You means I need set http_access allow all first?
>> I tried that, but still no effect.
>> Dose anybody have a simplest and good squid.conf configuration file
>> with external_acl_type and cache_peer_access?
>
> No I mean:
> http_access deny ipaddress
> or
> http_access allow ipaddress
>
> or some such blocking access checks that _uses_ the ipaddress ACL before
> cache_peer_access gets it.
>
> Amos
>
>>
>> thanks a lot.
>>
>>
>> 2009/1/14 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>
>>> NetSnake wrote:
>>>>
>>>> Actually, I defined a cache_peer named host1 as this:
>>>> cache_peer www.myhost.com parent 80 0 no-query no-digest originserver
>>>> name=host1
>>>>
>>>> and I defined a ACL named ipaddress:
>>>> acl ipaddress external checkip
>>>>
>>>> and then I defined the access rule, to deny access to hosts through my
>>>> checkip script.
>>>> cache_peer_access host1 deny ipaddress
>>>>
>>>> And I found my script is already running after squid is up, and it can
>>>> write data to the file.
>>>> But it like squid just start up my script, and never call it when a
>>>> connection arraived.
>>>
>>> cache_peer_access is a fast-ACL check. It cannot wait for delayed actions
>>> such as remote helpers to reply.
>>>
>>> It's also only checked after the request has been accepted.
>>> You need to use your ACL in an http_access line first. Which will check
>>> it
>>> early, and cache the result long enough for the peer checks to use.
>>>
>>> Amos
>>>
>>>> BTW, No SELinux running on my box.
>>>>
>>>> thanks.
>>>>
>>>> 2009/1/14 Chris Robertson <crobertson_at_gci.net>:
>>>>>
>>>>> NetSnake wrote:
>>>>>>
>>>>>> hi,all
>>>>>> I want to use external_acl_type to distribute my user to different
>>>>>> server, these user need NOT authentication.
>>>>>> Squid start my application, but when I access to a special host, no
>>>>>> data send to my program from Squid.
>>>>>> my program is a very simple script, and when I use an existing
>>>>>> application such as ip_user_check, still no actions.
>>>>>> My squid configuration is:
>>>>>> external_acl_type checkip concurrency=0 ttl=0 children=1 %SRC
>>>>>> /usr/local/squid/libexec/
>>>>>> checkip.pl
>>>>>> http_port 80 accel vhost vport
>>>>>> cache_peer www.myhost.com parent 80 0 no-query no-digest originserver
>>>>>> name=host1
>>>>>> acl ipaddress external checkip
>>>>>> cache_peer_access www deny ipaddress
>>>>>>
>>>>> There is no cache_peer defined as "www". There is one defined as
>>>>> "www.myhost.com". Perhaps that's a typo in the obfuscation of your
>>>>> squid.conf. Are you sure the checkip.pl script is runnable by the
>>>>> squid_effective_user? Does /tmp/squid.log exists? If so, is it
>>>>> writeable
>>>>> by the squid_effective_user? Are you running SELinux or AppArmor?
>>>>>
>>>>>> ...
>>>>>>
>>>>>> My program is very simple:
>>>>>> cat checkip.pl
>>>>>> #!/usr/bin/perl
>>>>>> $| = 1;
>>>>>> open(LOG, ">/tmp/squid.log");
>>>>>> print LOG "RUNNING\n";
>>>>>> close(LOG);
>>>>>> while(defined($line = <STDIN>)){
>>>>>> print "OK\n";
>>>>>> open(LOG, ">>/tmp/squid.log");
>>>>>> print LOG "Got: $line\n";
>>>>>> close(LOG);
>>>>>> }
>>>>>>
>>>>>>
>>>>>> So, I think that, is external_acl_type must under authentication mode?
>>>>>>
>>>>>> thanks in advance.
>>>>>>
>>>>> Chris
>>>>>
>>>
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
>>> Current Beta Squid 3.1.0.3
>>>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
> Current Beta Squid 3.1.0.3
>
Received on Wed Jan 14 2009 - 06:29:18 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 15 2009 - 12:00:02 MST