Re: [squid-users] parent selection via external_acl

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 25 Apr 2003 12:34:58 +0200

fre 2003-04-25 klockan 10.17 skrev Christoph Haas:
> Hi, Squid lovers... :)
>
> I'm already using an external_acl for LDAP group authorisation. Based on
> the LDAP group I would like to chose the parent proxy for this user. Is
> this already possible?

Possible, but not reliable.

> Where may I use the external_acls anyway? I
> remember that in former versions there were hardly any situations (like
> http_preply_access and others) where I external_acls could be used.

acls requiring external lookups (external_acl_type, DNS lookups etc) can
basically only be used reliably in http_access. In most other directives
the acl may fail (false negative) if Squid decides that what it knows is
too old and needs to be verified with the external data source.

In most cases an acceptable level can be found if the acl is first
verified in http_access, but even then there may be occational false
negatives if the TTL of the cached status of the acl expires between
processing of http_access and the other acl driven directive.

This is because it is mainly http_access who can wait for the lookup to
the external data source to complete, the other directives just continue
with a "no" when there is no prior known information or what is known is
too old.

Regards
Henrik

-- 
Free Squid-users support provided by Henrik Nordström <hno@squid-cache.org>
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Fri Apr 25 2003 - 04:35:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:30 MST