Re: [squid-users] icap_access and external_acl does not work

From: Christoph Haas <email@dont-contact.us>
Date: Thu, 14 Oct 2004 22:03:55 +0200

On Thu, Oct 14, 2004 at 06:20:07PM +0200, Henrik Nordstrom wrote:
> The FAQ is maintained, but very much relies on users submitting
> additions/changes. The developers are all buzy maintaining the Squid
> sources for you.

For me personally? Great. ;) Seriously... I'll prepare a paragraph.

> No, icap_access can only handle fast ACL lookups where all needed
> information is priorly known.
>
> external acls where the lookup has completed and is fresh (ttl not
> expired) is included in this category. The same also applies to any other
> ACL type requiring external lookups (I..e DNS dependent acls such as dst /
> dstdomain / srcdomain)
>
> The workaround is not 100% reliable. There is a small window where the ttl
> of the information the acl depends on may expire between http_access and
> icap_access (or whatever other "only fast acls" directive). But with
> properly selected ttls, and graceful fallbacks if the acl lookup fails
> then this shouldn't be much of an issue.

Just to be sure: when I run through an "http_access allow ldapgroup42"
wouldn't then the cache be refreshed? So if I do the icap_access right
after that I would always have this information in the cache, right?
(Assumed that the TTL is greater than the time needed to lookup the LDAP
group. My TTL is set to 60 seconds.)

I also assume that this behavior will not be removed shortly. Right?

I'm about to use this setup in production that's why I'd like to make it
clear for myself. Thanks.

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All
Received on Thu Oct 14 2004 - 14:04:01 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST