if you will provide a squid.conf we can try to use this and give you an example.
On Fri, Jan 15, 2021, 02:54 Hideyuki Kawai <h.ka...@ntt.com> wrote: > Dear Amos, Alex, Eliezer, > > > > Thank you for your support. > > Sorry for my low experience and knowledge… > > > > Your comment is helpful for me, and could you let me know more about > "note" ACL. > > I can not understand it, even checking the website. > > > > Q1. Could you let me know about “note” ACL? > > Q2. If possible, sample config which is using(combined) > “ext_kerberos_ldap_group_acl” and “tcp_outgoing_address” and “note ACL”. > > > > Again, thanks for your support. > > > > Best regards, > > Kawai > > > > *From:* squid-dev <squid-dev-boun...@lists.squid-cache.org> *On Behalf Of > *?Amos Jeffries? > *Sent:* Friday, January 15, 2021 8:16 AM > *To:* Alex Rousskov <rouss...@measurement-factory.com>; > squid-dev@lists.squid-cache.org > *Subject:* Re: [squid-dev] effective acl for tcp_outgoing_address > > > > FYI, this use case is why recent versions of kerberos auth helper being > used in the OP config produces group= annotations for authenticated users. > The note ACL mentioned can check for group SSID any of the fast access > checks. > > Amos > > > > -------- Original message -------- > From: Alex Rousskov <rouss...@measurement-factory.com> > Date: Fri, 15 Jan 2021, 03:25 > To: squid-dev@lists.squid-cache.org > Subject: Re: [squid-dev] effective acl for tcp_outgoing_address > > On 1/13/21 7:47 PM, Hideyuki Kawai wrote: > > > 1. "external_acl" can not use on tcp_outgoing_address. Because the > > external_acl type is slow. My understanding is correct? > > > Yes, your understanding is correct. There are cases where a slow ACL > "usually works" with a tcp_outgoing_address directive due to ACL caching > side effects, and there are many examples on the web abusing those side > effects, but you should not rely on such accidents when using modern > Squid versions. > > > > 2. If yes, how to solve my requirement? > > Use an annotation approach instead. The "note" ACL is fast, and the > external ACL helper can annotate transactions (and connections) in > modern Squids. The only difficulty with this approach is to find a > directive that satisfies all of the conditions below: > > 1. supports slow ACLs > 2. evaluated after the info needed by the external ACL helper is known > 3. evaluated before tcp_outgoing_address > > In many cases, http_access is such a directive, but YMMV. > > > HTH, > > Alex. > P.S. FWIW, I can agree with one Eliezer statement on this thread: This > thread belongs to squid-users, not squid-dev. > _______________________________________________ > squid-dev mailing list > squid-dev@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-dev > > _______________________________________________ > squid-dev mailing list > squid-dev@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-dev >
_______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev