--MimeMultipartBoundary
Content-Type: text/plain; charset=us-ascii
Oh well. And Alex Rousskov writes:
-
- Cache-control controls caching and storage, not access permissions, IMHO.
Good point. I tend to ignore the use of non-caching proxies.
- My concern is that a cache will not serve it to another [local] _cache_
- unless you list all the local caches in "Access-restricted" field.
That's just fine for me. A fairly short sequence of IP/netmask pairs
would catch everyone I need. I'd argue that if that isn't true, your
definition of local is lousy. Lots of non-local caches will naturally
cause a huge header line.
- Unfortunately, adding memory-resident metadata will increase memory
- requirements for Squid.
I know. It's the classic time / space tradeoff: store the ACLs (why
have multiple ACL-like things?) or rebuild them from the document
every time.
I was thinking that each StoreEntry would contain a handle to an ACL
(or just a unique request ID). These particular ACLs I'd relegate to
a particular storage area. They'd get shuffled out in some order and
could be re-built from the stored header if the ACL wasn't there. The
capability for re-building would be necessary to recover from a crashed
squid, anyways.
At that point, I realized keying off `/restricted/' in the URL and
just re-directing to a non-accelerated virtual host was soooo much
simpler, and certainly more general. The restricted server could
also set all the appropriate headers to no-cache values, too. Just
not a scalable solution.
- IMHO, HTTP should be used by machines and programmers, not human
- beings. :)
If I were inhuman, I'd probably be more efficient. ;)
Really, though, I like being able to look at a header and decypher it
quickly. I can adapt to funkier formats (slowly getting used to the
egcs C++ name-mangling), but it takes much longer.
Anyone who suggests XML for an ACL will be shot. ;)
- I would vote for X-Acl or Access-Control. A much cleaner solution, IMHO.
And not proxy-specific. An asis-handled object in Apache could still
have its headers parsed for access control, concievably.
- Future Squid hackers will be very "thankful" for that :)
Never said anyone else had to use it. Besides, having an implementation
of something is better than having nothing to test.
Right now, my specific problem is in limiting access for a few pages to
our local domain, so I can get away with a really, really simple hack.
Well, actually, I've just been told I don't need to worry about it.
I'm still interested in the bigger solution, though.
Jason
--MimeMultipartBoundary--
Received on Tue Jul 29 2003 - 13:15:48 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:45 MST