FYI, this use case is why recent versions of kerberos auth helper being used in the OP config produces group= annotations for authenticated users. The note ACL mentioned can check for group SSID any of the fast access checks.
Amos
Amos
-------- Original message --------
From: Alex Rousskov <rouss...@measurement-factory.com>
Date: Fri, 15 Jan 2021, 03:25
To: squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] effective acl for tcp_outgoing_address
On 1/13/21 7:47 PM, Hideyuki Kawai wrote:
> 1. "external_acl" can not use on tcp_outgoing_address. Because the
> external_acl type is slow. My understanding is correct?
Yes, your understanding is correct. There are cases where a slow ACL
"usually works" with a tcp_outgoing_address directive due to ACL caching
side effects, and there are many examples on the web abusing those side
effects, but you should not rely on such accidents when using modern
Squid versions.
> 2. If yes, how to solve my requirement?
Use an annotation approach instead. The "note" ACL is fast, and the
external ACL helper can annotate transactions (and connections) in
modern Squids. The only difficulty with this approach is to find a
directive that satisfies all of the conditions below:
1. supports slow ACLs
2. evaluated after the info needed by the external ACL helper is known
3. evaluated before tcp_outgoing_address
In many cases, http_access is such a directive, but YMMV.
HTH,
Alex.
P.S. FWIW, I can agree with one Eliezer statement on this thread: This
thread belongs to squid-users, not squid-dev.
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
_______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
