[squid-users] External Helper Squid Behavior.

Louis Gonzales wrote:
Dist,
Squid Version: 2.6.STABLE13
OS: Solaris 10
Compiled With:
configure options: '--prefix=/usr/local' '--enable-mempool-debug'
'--enable-xmalloc-statistics' '--enable-devpoll' '--enable-storeio=ufs
aufs' '--enable-icmp' '--enable-delay-pools' '--enable-useragent-log'
'--enable-referer-log' '--enable-ssl' '--disable-http-violations'
'--enable-large-cache-files' '--enable-follow-x-forwarded-for'
'--enable-auth=basic' '--enable-basic-auth-helpers=LDAP'
'--enable-external-acl-helpers=ip_user ldap_group' '--with-pthreads'
'--with-aio' 'CC=/usr/sfw/bin/gcc'
Integrations:
OpenLDAP: 2.3.35

Custom:
External Helper PERL program call: external_acl_type eXhelperI
children=20 %LOGIN %{HOST} /usr/local/etc/squid/eXhelperI.pl
Question(on External Helper EH):
The PERL EH connects to a postgresql database, and checks the LOGIN(user
ID, like 'linuxlouis') and requested HOST(or internet domain, like
www.yahoo.com), if the LOGIN/HOST tuple exist in the database, the EH
returns "OK\n" - permit site - IF, they do not exist in the database,
the EH returns "ERR\n" - deny site.

When the webpage is fetched, usually it contains AD's or images that are
not served from the HOST( like www.yahoo.com, has
http//www.notyahoo.com/*.jpg files ) links as HREF tags in the main
www.yahoo.com page. The result is that even though www.yahoo.com for
LOGIN(linuxlouis) returns "OK\n" these extraneous sources of images/ad's
etc, essentially get caught by Squid, due to the fact that probably the
LOGIN/HOST(linuxlouis/www.notyahoo.com/some/image.jpg) will return ERR,
because for linuxlouis, maybe we don't have www.notyahoo.com as a
permissible site. Squid's behavior is for every HREF/URL embedded in
the HTML content at a given site, Squid passes these also the EH to
verify and rightly so...

"The question" is there a way to permit all of these additional
extraneous sources of images/ad's, as in, is there a way to tell squid,
"check the external helper for the LOGIN/HOST(website), if permitted
'allow all content too?' Or perhaps, should I consider rather using a
custom redirector?

Any ideas would be great... thanks everyone!
Received on Thu Nov 15 2007 - 21:18:22 MST