Re: [squid-dev] effective acl for tcp_outgoing_address
Hey, As Alex gave you the technical details. At runtime of squid there is a sequence of events and acls validation. http_access is validated as a slow acl first long before tcp_outgoing_address is happening. If you will apply a "dummy" rule in the http_access like what Alex has suggested you would be able to make sure that when the tcp_outgoing_address validation happens a "pre-cooked"(this is how I call it) or a pre-determined session note will be "sticked" to the session details. This is a simplified: https://github.com/elico/vagrant-squid-outgoing-addresses/blob/master/shared/squid.conf#L14 squid.conf which includes the usage of a note from a helper that will always match like "all" should always be true (which is used in alex example). Let me know if it still doesn't make sense. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: Hideyuki Kawai Sent: Thursday, January 14, 2021 2:22 PM To: Eliezer Croitoru Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address Dear Eliezer Thank you for your reply. Could you let me ask you about your comment. "slow acl" can use in tcp_outgoing_address? Best regards, Kawai - h.ka...@ntt.com - -Original Message- From: Eliezer Croitoru Sent: Thursday, January 14, 2021 8:36 PM To: Hideyuki Kawai(川井秀行) Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address It's more of an users question. Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision is "required" You can "pre-cook" the value of a specific note when the connection is only at the first http_access level. An example for a setup which does probably what you want based on htaccess passwords you can here: https://github.com/elico/vagrant-squid-outgoing-addresses It's a vagrant lab which demonstrate this. Let me know if it helps you or you need clarification. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: squid-dev On Behalf Of Hideyuki Kawai Sent: Thursday, January 14, 2021 2:48 AM To: squid-dev@lists.squid-cache.org Subject: [squid-dev] effective acl for tcp_outgoing_address Hi, this is Kawai. Please let me send inquiry as followings. ### Requirement ### 1. Kerberos auth with Active Directory : auth_param . <- Success 2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail ### Inquiry ### 1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow. My understanding is correct? 2. If yes, how to solve my requirement? Please let me inform your comment and knowledge. Thanks in advance. - h.ka...@ntt.com - ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
On 1/19/21 11:35 PM, Hideyuki Kawai wrote: > I would like to map ip address based on username which is required proxy_auth > (kerberos). > Because, based on the squid docs > (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/), > tcp_outgoing_address can map based on "username". > However, such acl types (ident, proxy_auth) are slow type. > (http://www.squid-cache.org/Doc/config/acl/) > So, it seems also can not use to cp_outgoing_address (I confused.) You should be discussing this on squid-users, not squid-dev. I hear several questions in your email: Q1: Are ident and proxy_auth ACLs slow? Answer: They are slow when the transaction first encounters them because the first encounter triggers various (slow/asynchronous) authentication procedures. However, IIRC, these ACLs become fast when the same transaction has been successfully authenticated already -- post-authentication, Squid just needs to check whether the already authenticated user matches the name in the ACL parameter. That check can be performed instantaneously. You may see the first authentication-related rule to have a special REQUIRED keyword instead of a specific user name. Once that rule is (slowly) evaluated for a transaction, that transaction can treat specific authentication ACLs as "fast". Q2: How to use a slow ACL with a directive that only supports fast ACLs? Answer: Do not use a slow ACL with a directive that only supports fast ACLs. Instead, use a slow ACL with an earlier directive that supports slow ACLs _and_ remember the result of that earlier evaluation. The remember the result of any ACL evaluation, use annotate_transaction or annotate_client ACLs. To recall the that result, use a note ACL. Every transaction in Squid goes through a series of directives. In most cases, if your directive DF cannot handle slow ACLs, there is an earlier directive DS that can: * directive1 * directive2 ... * http_access ... * tcp_outgoing_address ... * directive30 ... In many cases, http_access is a directive that is suitable for slow ACL evaluation. YMMV. Q3: Would not evaluating an ACL in the "wrong" directive change transaction processing? Answer: By itself, ACL evaluation does not trigger directive application. The directive is applied only if all first-level ACLs in the directive rule match. If necessary, this can be used to successfully evaluate an ACL without triggering the directive application. For example, the following http_access rule will never match, but, if it is reached (i.e. if http_access is evaluated but all previous rules, if any, do not match), it will annotate the transaction (or the client) as transaction (or client) that should be using an specific outgoing address. acl userIsBob proxy_auth Bob acl markToUseAddressX annotate_client address=x http_access deny userIsBob markToUseAddressX !all acl markedToUseAddressX note address x tcp_outgoing_address x markedToUseAddressX If you need to do many annotations, then you can either create many http_access rules or, using basic boolean logic and all-of and any-of ACLs, it is possible to group all those annotations into one top-level ACL: http_access deny annotateAsNeeded !all Again, nothing is denied here. HTH, Alex. > > -Original Message- > From: Alex Rousskov > Sent: Thursday, January 14, 2021 11:25 PM > To: squid-dev@lists.squid-cache.org > Cc: Hideyuki Kawai(川井秀行) > Subject: Re: [squid-dev] effective acl for tcp_outgoing_address > > On 1/13/21 7:47 PM, Hideyuki Kawai wrote: > >> 1. "external_acl" can not use on tcp_outgoing_address. Because the >> external_acl type is slow. My understanding is correct? > > > Yes, your understanding is correct. There are cases where a slow ACL "usually > works" with a tcp_outgoing_address directive due to ACL caching side effects, > and there are many examples on the web abusing those side effects, but you > should not rely on such accidents when using modern Squid versions. > > >> 2. If yes, how to solve my requirement? > > Use an annotation approach instead. The "note" ACL is fast, and the external > ACL helper can annotate transactions (and connections) in modern Squids. The > only difficulty with this approach is to find a directive that satisfies all > of the conditions below: > > 1. supports slow ACLs > 2. evaluated after the info needed by the external ACL helper is known 3. > evaluated before tcp_outgoing_address > > In many cases, http_access is such a directive, but YMMV. > > > HTH, > > Alex. > P.S. FWIW, I can agree with one Eliezer statement on this thread: This thread > belongs to squid-users, not squid-dev. > ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
Dear Mr.Alex, Thank you very much for your reply. I have one more question about slow acl type related with tcp_outgoing_address. (I give up the solution based on "AD security group.) Then, I would like to map ip address based on username which is required proxy_auth (kerberos). Because, based on the squid docs (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/), tcp_outgoing_address can map based on "username". However, such acl types (ident, proxy_auth) are slow type. (http://www.squid-cache.org/Doc/config/acl/) So, it seems also can not use to cp_outgoing_address (I confused.) Do you have any comment? If you give some comment my question, it is helpful for my understanding... == reference (http://www.squid-cache.org/Doc/config/acl/) == acl aclname ident [-i] username ... acl aclname ident_regex [-i] pattern ... # string match on ident output [slow] # use REQUIRED to accept any non-null ident. acl aclname proxy_auth [-i] username ... acl aclname proxy_auth_regex [-i] pattern ... # perform http authentication challenge to the client and match against # supplied credentials [slow] # # takes a list of allowed usernames. # use REQUIRED to accept any valid username. # # Will use proxy authentication in forward-proxy scenarios, and plain # http authenticaiton in reverse-proxy scenarios # # NOTE: when a Proxy-Authentication header is sent but it is not # needed during ACL checking the username is NOT logged # in access.log. # # NOTE: proxy_auth requires a EXTERNAL authentication program # to check username/password combinations (see # auth_param directive). # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy # as the browser needs to be configured for using a proxy in order # to respond to proxy authentication. == Best regards, Kawai - h.ka...@ntt.com - -Original Message- From: Alex Rousskov Sent: Thursday, January 14, 2021 11:25 PM To: squid-dev@lists.squid-cache.org Cc: Hideyuki Kawai(川井秀行) Subject: Re: [squid-dev] effective acl for tcp_outgoing_address On 1/13/21 7:47 PM, Hideyuki Kawai wrote: > 1. "external_acl" can not use on tcp_outgoing_address. Because the > external_acl type is slow. My understanding is correct? Yes, your understanding is correct. There are cases where a slow ACL "usually works" with a tcp_outgoing_address directive due to ACL caching side effects, and there are many examples on the web abusing those side effects, but you should not rely on such accidents when using modern Squid versions. > 2. If yes, how to solve my requirement? Use an annotation approach instead. The "note" ACL is fast, and the external ACL helper can annotate transactions (and connections) in modern Squids. The only difficulty with this approach is to find a directive that satisfies all of the conditions below: 1. supports slow ACLs 2. evaluated after the info needed by the external ACL helper is known 3. evaluated before tcp_outgoing_address In many cases, http_access is such a directive, but YMMV. HTH, Alex. P.S. FWIW, I can agree with one Eliezer statement on this thread: This thread belongs to squid-users, not squid-dev. ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
if you will provide a squid.conf we can try to use this and give you an example. On Fri, Jan 15, 2021, 02:54 Hideyuki Kawai wrote: > Dear Amos, Alex, Eliezer, > > > > Thank you for your support. > > Sorry for my low experience and knowledge… > > > > Your comment is helpful for me, and could you let me know more about > "note" ACL. > > I can not understand it, even checking the website. > > > > Q1. Could you let me know about “note” ACL? > > Q2. If possible, sample config which is using(combined) > “ext_kerberos_ldap_group_acl” and “tcp_outgoing_address” and “note ACL”. > > > > Again, thanks for your support. > > > > Best regards, > > Kawai > > > > *From:* squid-dev *On Behalf Of > *?Amos Jeffries? > *Sent:* Friday, January 15, 2021 8:16 AM > *To:* Alex Rousskov ; > squid-dev@lists.squid-cache.org > *Subject:* Re: [squid-dev] effective acl for tcp_outgoing_address > > > > FYI, this use case is why recent versions of kerberos auth helper being > used in the OP config produces group= annotations for authenticated users. > The note ACL mentioned can check for group SSID any of the fast access > checks. > > Amos > > > > Original message > From: Alex Rousskov > Date: Fri, 15 Jan 2021, 03:25 > To: squid-dev@lists.squid-cache.org > Subject: Re: [squid-dev] effective acl for tcp_outgoing_address > > On 1/13/21 7:47 PM, Hideyuki Kawai wrote: > > > 1. "external_acl" can not use on tcp_outgoing_address. Because the > > external_acl type is slow. My understanding is correct? > > > Yes, your understanding is correct. There are cases where a slow ACL > "usually works" with a tcp_outgoing_address directive due to ACL caching > side effects, and there are many examples on the web abusing those side > effects, but you should not rely on such accidents when using modern > Squid versions. > > > > 2. If yes, how to solve my requirement? > > Use an annotation approach instead. The "note" ACL is fast, and the > external ACL helper can annotate transactions (and connections) in > modern Squids. The only difficulty with this approach is to find a > directive that satisfies all of the conditions below: > > 1. supports slow ACLs > 2. evaluated after the info needed by the external ACL helper is known > 3. evaluated before tcp_outgoing_address > > In many cases, http_access is such a directive, but YMMV. > > > HTH, > > Alex. > P.S. FWIW, I can agree with one Eliezer statement on this thread: This > thread belongs to squid-users, not squid-dev. > ___ > squid-dev mailing list > squid-dev@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-dev > > ___ > squid-dev mailing list > squid-dev@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-dev > ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
Dear Amos, Alex, Eliezer, Thank you for your support. Sorry for my low experience and knowledge… Your comment is helpful for me, and could you let me know more about "note" ACL. I can not understand it, even checking the website. Q1. Could you let me know about “note” ACL? Q2. If possible, sample config which is using(combined) “ext_kerberos_ldap_group_acl” and “tcp_outgoing_address” and “note ACL”. Again, thanks for your support. Best regards, Kawai From: squid-dev On Behalf Of ?Amos Jeffries? Sent: Friday, January 15, 2021 8:16 AM To: Alex Rousskov ; squid-dev@lists.squid-cache.org Subject: Re: [squid-dev] effective acl for tcp_outgoing_address FYI, this use case is why recent versions of kerberos auth helper being used in the OP config produces group= annotations for authenticated users. The note ACL mentioned can check for group SSID any of the fast access checks. Amos Original message From: Alex Rousskov mailto:rouss...@measurement-factory.com>> Date: Fri, 15 Jan 2021, 03:25 To: squid-dev@lists.squid-cache.org<mailto:squid-dev@lists.squid-cache.org> Subject: Re: [squid-dev] effective acl for tcp_outgoing_address On 1/13/21 7:47 PM, Hideyuki Kawai wrote: > 1. "external_acl" can not use on tcp_outgoing_address. Because the > external_acl type is slow. My understanding is correct? Yes, your understanding is correct. There are cases where a slow ACL "usually works" with a tcp_outgoing_address directive due to ACL caching side effects, and there are many examples on the web abusing those side effects, but you should not rely on such accidents when using modern Squid versions. > 2. If yes, how to solve my requirement? Use an annotation approach instead. The "note" ACL is fast, and the external ACL helper can annotate transactions (and connections) in modern Squids. The only difficulty with this approach is to find a directive that satisfies all of the conditions below: 1. supports slow ACLs 2. evaluated after the info needed by the external ACL helper is known 3. evaluated before tcp_outgoing_address In many cases, http_access is such a directive, but YMMV. HTH, Alex. P.S. FWIW, I can agree with one Eliezer statement on this thread: This thread belongs to squid-users, not squid-dev. ___ squid-dev mailing list squid-dev@lists.squid-cache.org<mailto:squid-dev@lists.squid-cache.org> http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
FYI, this use case is why recent versions of kerberos auth helper being used in the OP config produces group= annotations for authenticated users. The note ACL mentioned can check for group SSID any of the fast access checks.Amos Original message From: Alex Rousskov Date: Fri, 15 Jan 2021, 03:25To: squid-dev@lists.squid-cache.orgSubject: Re: [squid-dev] effective acl for tcp_outgoing_addressOn 1/13/21 7:47 PM, Hideyuki Kawai wrote:> 1. "external_acl" can not use on tcp_outgoing_address. Because the> external_acl type is slow. My understanding is correct?Yes, your understanding is correct. There are cases where a slow ACL"usually works" with a tcp_outgoing_address directive due to ACL cachingside effects, and there are many examples on the web abusing those sideeffects, but you should not rely on such accidents when using modernSquid versions.> 2. If yes, how to solve my requirement?Use an annotation approach instead. The "note" ACL is fast, and theexternal ACL helper can annotate transactions (and connections) inmodern Squids. The only difficulty with this approach is to find adirective that satisfies all of the conditions below:1. supports slow ACLs2. evaluated after the info needed by the external ACL helper is known3. evaluated before tcp_outgoing_addressIn many cases, http_access is such a directive, but YMMV.HTH,Alex.P.S. FWIW, I can agree with one Eliezer statement on this thread: Thisthread belongs to squid-users, not squid-dev.___squid-dev mailing listsquid-dev@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-dev___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
On 1/13/21 7:47 PM, Hideyuki Kawai wrote: > 1. "external_acl" can not use on tcp_outgoing_address. Because the > external_acl type is slow. My understanding is correct? Yes, your understanding is correct. There are cases where a slow ACL "usually works" with a tcp_outgoing_address directive due to ACL caching side effects, and there are many examples on the web abusing those side effects, but you should not rely on such accidents when using modern Squid versions. > 2. If yes, how to solve my requirement? Use an annotation approach instead. The "note" ACL is fast, and the external ACL helper can annotate transactions (and connections) in modern Squids. The only difficulty with this approach is to find a directive that satisfies all of the conditions below: 1. supports slow ACLs 2. evaluated after the info needed by the external ACL helper is known 3. evaluated before tcp_outgoing_address In many cases, http_access is such a directive, but YMMV. HTH, Alex. P.S. FWIW, I can agree with one Eliezer statement on this thread: This thread belongs to squid-users, not squid-dev. ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
Sorry there was a typo. There are couple of places in the code that check ACLS. IN -> PROXY PARSERS -> OUT Fast acls are these for places which we cannot or won't delay the request. The place which can take slow acls are before the OUT(simplified example abvoe). You can apply slow ACLS at http_access layer and the notes are staying withing the request/session. But on the OUT stage squid will not "stop" or "hold" the request until the helper will respond. The IP address choice is in the "kernel" level so we must have the resolution for this "fast" and not "s-l-o-w". I hope this answers you. If not .. ask again. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: Hideyuki Kawai Sent: Thursday, January 14, 2021 2:22 PM To: Eliezer Croitoru Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address Dear Eliezer Thank you for your reply. Could you let me ask you about your comment. "slow acl" can use in tcp_outgoing_address? Best regards, Kawai - h.ka...@ntt.com - -Original Message- From: Eliezer Croitoru Sent: Thursday, January 14, 2021 8:36 PM To: Hideyuki Kawai(川井秀行) Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address It's more of an users question. Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision is "required" You can "pre-cook" the value of a specific note when the connection is only at the first http_access level. An example for a setup which does probably what you want based on htaccess passwords you can here: https://github.com/elico/vagrant-squid-outgoing-addresses It's a vagrant lab which demonstrate this. Let me know if it helps you or you need clarification. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: squid-dev On Behalf Of Hideyuki Kawai Sent: Thursday, January 14, 2021 2:48 AM To: squid-dev@lists.squid-cache.org Subject: [squid-dev] effective acl for tcp_outgoing_address Hi, this is Kawai. Please let me send inquiry as followings. ### Requirement ### 1. Kerberos auth with Active Directory : auth_param . <- Success 2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail ### Inquiry ### 1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow. My understanding is correct? 2. If yes, how to solve my requirement? Please let me inform your comment and knowledge. Thanks in advance. - h.ka...@ntt.com - ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
Dear Eliezer Thank you for your reply. Could you let me ask you about your comment. "slow acl" can use in tcp_outgoing_address? Best regards, Kawai - h.ka...@ntt.com - -Original Message- From: Eliezer Croitoru Sent: Thursday, January 14, 2021 8:36 PM To: Hideyuki Kawai(川井秀行) Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address It's more of an users question. Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision is "required" You can "pre-cook" the value of a specific note when the connection is only at the first http_access level. An example for a setup which does probably what you want based on htaccess passwords you can here: https://github.com/elico/vagrant-squid-outgoing-addresses It's a vagrant lab which demonstrate this. Let me know if it helps you or you need clarification. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: squid-dev On Behalf Of Hideyuki Kawai Sent: Thursday, January 14, 2021 2:48 AM To: squid-dev@lists.squid-cache.org Subject: [squid-dev] effective acl for tcp_outgoing_address Hi, this is Kawai. Please let me send inquiry as followings. ### Requirement ### 1. Kerberos auth with Active Directory : auth_param . <- Success 2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail ### Inquiry ### 1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow. My understanding is correct? 2. If yes, how to solve my requirement? Please let me inform your comment and knowledge. Thanks in advance. - h.ka...@ntt.com - ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] effective acl for tcp_outgoing_address
It's more of an users question. Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision is "required" You can "pre-cook" the value of a specific note when the connection is only at the first http_access level. An example for a setup which does probably what you want based on htaccess passwords you can here: https://github.com/elico/vagrant-squid-outgoing-addresses It's a vagrant lab which demonstrate this. Let me know if it helps you or you need clarification. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -Original Message- From: squid-dev On Behalf Of Hideyuki Kawai Sent: Thursday, January 14, 2021 2:48 AM To: squid-dev@lists.squid-cache.org Subject: [squid-dev] effective acl for tcp_outgoing_address Hi, this is Kawai. Please let me send inquiry as followings. ### Requirement ### 1. Kerberos auth with Active Directory : auth_param . <- Success 2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail ### Inquiry ### 1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow. My understanding is correct? 2. If yes, how to solve my requirement? Please let me inform your comment and knowledge. Thanks in advance. - h.ka...@ntt.com - ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] effective acl for tcp_outgoing_address
Hi, this is Kawai. Please let me send inquiry as followings. ### Requirement ### 1. Kerberos auth with Active Directory : auth_param . <- Success 2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail ### Inquiry ### 1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow. My understanding is correct? 2. If yes, how to solve my requirement? Please let me inform your comment and knowledge. Thanks in advance. - h.ka...@ntt.com - ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev