Re: [squid-users] question on external_acl_type

From: Norio Korekawa <korekawa-norio@dont-contact.us>
Date: Mon, 31 Jan 2005 15:48:25 +0900 (JST)

Hi Scott,

Thank you for your prompt reply.

> > Hello,
> >
> > I have a question on external_acl_type and I hope someone will kindly
> > give me comments or answers.
> >
> > Firstly, my squid is Squid Cache: Version 2.5.STABLE1, I'm running
> > it on Red Hat Linux release 9 (Shrike) and the basic part of my
> > squid.conf is as follows:
> >
> >
> > --- my squid.conf ---
> > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > external_acl_type myacltype %LOGIN %SRC %DST %{Referer} %{User-Agent}
> > /usr/lib/squid/myaclhelper.pl
> > acl myacl external myacltype
> >
> > acl user_auth_acl proxy_auth REQUIRED
> > http_access deny !user_auth_acl
>
> I think this should be closer to
>
> http_access allow user_auth_acl myacl
>
> This way it is an AND statement as at the moment it is actually an OR
> statement

I see. I tried your http_access statement above, but the result seemed
to be same. So I think the following 1. and 2. are equivalent, of course,
1. is much better.

1. http_access allow user_auth_acl myacl

2. http_access deny !user_auth_acl
   http_access deny !myacl
   http_access allow all

> > http_access deny !myacl
> > http_access allow all
> > --- my squid.conf ---
> >
> >
> > My question is:
> >
> > It seems that myaclhelper.pl is called by squid, every time new URL
> > is accessed, but is this correct action? I think it should not be
> > called, once myacl passes, that is, myaclhelper.pl returns "OK".
> > In fact, ncsa_auth seems not to be called, once HTTP basic
> > authentication
> > passes...
> >
> There is another option that specifies how long the helper caches it
> data for....
>
> external_acl_type myacltype ttl=600 %LOGIN %SRC %DST %{Referer}
> %{User-Agent} /usr/lib/squid/myaclhelper.pl
>
> Where 600 is the cached answer timer.
>
> For testing I normally set it really low so that the responses are
> almost real-time but in the real world this creates way too much
> overhead.

Yes, I already tried ttl with the following statement, but the result
did not change... If this was true, I think myaclhelper.pl would not
be kicked by squid within one hour after myacl passes. Or is this my
misunderstanding...?

external_acl_type myacltype ttl=3600 negative_ttl=120 %LOGIN %SRC %DST %{Referer} %{User-Agent} /usr/lib/squid/myaclhelper.pl

# ttl=n TTL in seconds for cached results (defaults to 3600
# for 1 hour)

Thanks.
Norio

> > I think my squid.conf has some problems, but I don't know what they
> > are...
> >
> > Any answer would be appreciated.
> > Thanks in advance.
> > Norio
>
>
> This email and any files transmitted with it are confidential and intended solely for the
> use of the individual or entity to whom they are addressed. Please notify the sender
> immediately by email if you have received this email by mistake and delete this email
> from your system. Please note that any views or opinions presented in this email are solely
> those of the author and do not necessarily represent those of the organisation.
> Finally, the recipient should check this email and any attachments for the presence of
> viruses. The organisation accepts no liability for any damage caused by any virus
> transmitted by this email.
Received on Sun Jan 30 2005 - 23:48:45 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:36 MST