hrm.. spawning 2 external processes per request when thousands of requests are going through is implausible.. the authentication thing might be a little far fetched (and could be done externally if needed since it would only be spawned if the header was there, although I don't know how such an external process should work, unless there was a daemon which stored all the logged in people, anyway) but spawning an external acl on every single request just to check for a header is a bit excessive, there must be an easy way to match an arbitrary header from inside squid.
I've been looking at the existing header matching acl's, MIMEtype, referer, browser, etc and I'm not sure how to do this without adding headers to enum.h explicitly :( >>> Robert Collins <[EMAIL PROTECTED]> 08/04/03 04:11PM >>> On Tue, 2003-08-05 at 06:34, Joshua Brindle wrote: > Ok, I'm not sure if this makes sense but I have some special needs > and can't quite figure out how to implement them. I'm a little short on time right now, but a few thoughts may help you... firstly, the latency on an external helper, combined with squids result caching is /unlikely/ to be an issue - when compared to typical internet site RTT. secondly, forms based authentication has been discussed several times here. It's a bit of a 'brew-your-own' solution. You can do it without altering the source: (From memory - look it up in the archives for previous discussions).. Use a redirector (where you want to trigger authentication) to redirect the user (remember, you can have squid fetch the redirected page itself, preventing squid-client latency) to your webserver with the form logic on it, saving their request (don't forget to take care of POST data!) while you authenticate them, and then pass them back to the original site. Make sure that access to that webserver is also done via squid. Finally, add an external acl that you can pass whatever cookie or url details you set in the forms authentication, and it will provide squid with the login details. Lastly, you just use that acl as normal in your http access rules. lastly, checking for your X- headers is trivial via a second external acl. I suspect you'll find squid-3.0 much easier to accomplish this with. Cheers, Rob -- GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.
