subject:"\[squid\-users\] Dstdomain from external ACL"

Re: [squid-users] Dstdomain from external ACL

2023-07-23 Thread Alexeyяр Gruzdov

Hello!

For get it worked I used the next things:

1. In squid.conf
  external_acl_type ext_proxy_url_acl_type ttl=10 children-max=30
children-startup=5 ipv4 %LOGIN %DST /etc/squid/ext_helper/ext_acl_urls.py
2. Inside of my acl_url_direct.conf
   acl proxy_direct_url_mark_acl external
ext_proxy_url_acl_type
   acl proxy_direct_url_acl note url_name passed
3. Inside of http_acces.conf

   http_access deny proxy_direct_url_mark_acl !all

4. The my owned helper reads the incoming arguments like login and dst url
and then checks url in the DB,  then replies something like:
 OK url_name=passed   (if url is in DB)
 or
 ERR
   And of course If I got the OK I can use the acl  called
"proxy_direct_url_acl" in policy I wanted.

My case as a whole is to pass the URL to the  cache_peers, but some URL
must be proxying  on the server (without forwarding to the cache_peers).
This was so curious to know how the squid parses these URL's (to prevent
the problems in the future).

Best Regards.
Alexey

сб, 22 июл. 2023 г. в 12:12, Amos Jeffries :

> On 22/07/23 17:20, Alexeyяр Gruzdov wrote:
> > Wow…
> > Thank you so much !
> >
> > For now I used a simple .py script that checks if url is in table and
> > send reply OK or ERR, depends from result.
> >
> > But allow ask you - how squid parse the url???
> > I think it uses the regexp, is that true???
>
> All parsers in the 'squid' binary perform full parse with validation.
>
>
> >
> > Because for example if I add the url to DB like example.com
> > ( base url name)
> > And if the proxy request will be even like to example.com/page1/
> >  - this will be matched. That’s great.
> >
>
> Oh, there are many moving parts involved there.
>
> First is the HTTP request URL that Squid received, it could be any of
> origin-form, authority-form, or relative-url.
>
> (... probably you configured Squid to only send the URL domain name to
> the helper.)
>
> Second is what details you configured the external_acl_type directive to
> pass on.
>
> Third is how the helper receives its input. The helper I suggested uses
> Perl string split to separate the concurrency channel-ID from the UID
> portion and pack("H*",...) for binary safety.
>
> Fourth is how the helper is using its input to lookup the database.
>   The helper I suggested uses SQL "=" operator, whose matching is
> string-wise exact equality.
>
> As far as I know only the Perl string split is potentially using regex,
> but not in any way which would case the behaviour you describe.
>
> If you are still using your own custom helper, look into how it is doing
> those third and fourth things.
>
>
> HTH
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Dstdomain from external ACL

2023-07-22 Thread Amos Jeffries


On 22/07/23 17:20, Alexeyяр Gruzdov wrote:

Wow…
Thank you so much !

For now I used a simple .py script that checks if url is in table and 
send reply OK or ERR, depends from result.


But allow ask you - how squid parse the url???
I think it uses the regexp, is that true???


All parsers in the 'squid' binary perform full parse with validation.




Because for example if I add the url to DB like example.com 
( base url name)
And if the proxy request will be even like to example.com/page1/ 
 - this will be matched. That’s great.




Oh, there are many moving parts involved there.

First is the HTTP request URL that Squid received, it could be any of 
origin-form, authority-form, or relative-url.


(... probably you configured Squid to only send the URL domain name to 
the helper.)


Second is what details you configured the external_acl_type directive to 
pass on.


Third is how the helper receives its input. The helper I suggested uses 
Perl string split to separate the concurrency channel-ID from the UID 
portion and pack("H*",...) for binary safety.


Fourth is how the helper is using its input to lookup the database.
 The helper I suggested uses SQL "=" operator, whose matching is 
string-wise exact equality.


As far as I know only the Perl string split is potentially using regex, 
but not in any way which would case the behaviour you describe.


If you are still using your own custom helper, look into how it is doing 
those third and fourth things.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Dstdomain from external ACL

2023-07-21 Thread Alexeyяр Gruzdov

Wow…
Thank you so much !

For now I used a simple .py script that checks if url is in table and send
reply OK or ERR, depends from result.

But allow ask you - how squid parse the url???
I think it uses the regexp, is that true???

Because for example if I add the url to DB like example.com ( base url name)
And if the proxy request will be even like to  example.com/page1/ - this
will be matched. That’s great.

Thank you !
Alexey G.

On Sat, 22 Jul 2023 at 10:00, Amos Jeffries  wrote:

> On 21/07/23 00:23, Alexeyяр Gruzdov wrote:
> > Hello.
> >
> > Looks I found how to do that and this works well for me:
> >
> > The external helper script must check if the url is in DB and answer as
> > OK (if there is) or ERR (if there isnt)
> >
>
> You can probably use the ext_sql_session_acl helper bundled with Squid
> instead of writing your own from scratch.
> See
> 
> for its parameters.
>
> AIUI, you want the --uidcol to be the table of URLs and leave both
> --usercol and --tagcol unset.
>
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Dstdomain from external ACL

2023-07-21 Thread Amos Jeffries


On 21/07/23 00:23, Alexeyяр Gruzdov wrote:

Hello.

Looks I found how to do that and this works well for me:

The external helper script must check if the url is in DB and answer as 
OK (if there is) or ERR (if there isnt)




You can probably use the ext_sql_session_acl helper bundled with Squid 
instead of writing your own from scratch.
See 
 
for its parameters.


AIUI, you want the --uidcol to be the table of URLs and leave both 
--usercol and --tagcol unset.



Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Dstdomain from external ACL

2023-07-20 Thread Alex Rousskov


On 7/20/23 08:23, Alexeyяр Gruzdov wrote:

Hello.

Looks I found how to do that and this works well for me:

The external helper script must check if the url is in DB and answer as 
OK (if there is) or ERR (if there isnt)



External ACL helper protocol is documented at
https://wiki.squid-cache.org/Features/AddonHelpers#access-control-acl

Alex.


чт, 20 июл. 2023 г. в 11:11, Alexeyяр Gruzdov >:


Hello guys!

Could you explain to me the best way - how to get the list of domain
names from some external acl and use it in squid.conf for policy? I
looked how to get it working using the external file, but I need to
use a script (as example to save the url in DB).
I need to understand the format of the answer from the external
helper script - what it must be?

Thanks.
Alexey


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Dstdomain from external ACL

2023-07-20 Thread Alexeyяр Gruzdov

Hello.

Looks I found how to do that and this works well for me:

The external helper script must check if the url is in DB and answer as OK
(if there is) or ERR (if there isnt)


Best regards
Alexey

чт, 20 июл. 2023 г. в 11:11, Alexeyяр Gruzdov :

> Hello guys!
>
> Could you explain to me the best way - how to get the list of domain names
> from some external acl and use it in squid.conf for policy? I looked how to
> get it working using the external file, but I need to use a script (as
> example to save the url in DB).
> I need to understand the format of the answer from the external helper
> script - what it must be?
>
> Thanks.
> Alexey
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Dstdomain from external ACL

2023-07-20 Thread Alexeyяр Gruzdov

Hello guys!

Could you explain to me the best way - how to get the list of domain names
from some external acl and use it in squid.conf for policy? I looked how to
get it working using the external file, but I need to use a script (as
example to save the url in DB).
I need to understand the format of the answer from the external helper
script - what it must be?

Thanks.
Alexey
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Dstdomain from external ACL

Re: [squid-users] Dstdomain from external ACL

Re: [squid-users] Dstdomain from external ACL

Re: [squid-users] Dstdomain from external ACL

Re: [squid-users] Dstdomain from external ACL

Re: [squid-users] Dstdomain from external ACL

[squid-users] Dstdomain from external ACL

7 matches

Site Navigation

Mail list logo

Footer information