Sorry there was a typo. There are couple of places in the code that check ACLS. IN -> PROXY PARSERS -> OUT
Fast acls are these for places which we cannot or won't delay the request. The place which can take slow acls are before the OUT(simplified example abvoe). You can apply slow ACLS at http_access layer and the notes are staying withing the request/session. But on the OUT stage squid will not "stop" or "hold" the request until the helper will respond. The IP address choice is in the "kernel" level so we must have the resolution for this "fast" and not "s-l-o-w". I hope this answers you. If not .. ask again. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -----Original Message----- From: Hideyuki Kawai <h.ka...@ntt.com> Sent: Thursday, January 14, 2021 2:22 PM To: Eliezer Croitoru <ngtech1...@gmail.com> Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address Dear Eliezer Thank you for your reply. Could you let me ask you about your comment. "slow acl" can use in tcp_outgoing_address? Best regards, Kawai ------------------------------------- h.ka...@ntt.com ------------------------------------- -----Original Message----- From: Eliezer Croitoru <ngtech1...@gmail.com> Sent: Thursday, January 14, 2021 8:36 PM To: Hideyuki Kawai(川井秀行) <h.ka...@ntt.com> Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address It's more of an users question. Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision is "required" You can "pre-cook" the value of a specific note when the connection is only at the first http_access level. An example for a setup which does probably what you want based on htaccess passwords you can here: https://github.com/elico/vagrant-squid-outgoing-addresses It's a vagrant lab which demonstrate this. Let me know if it helps you or you need clarification. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -----Original Message----- From: squid-dev <squid-dev-boun...@lists.squid-cache.org> On Behalf Of Hideyuki Kawai Sent: Thursday, January 14, 2021 2:48 AM To: squid-dev@lists.squid-cache.org Subject: [squid-dev] effective acl for tcp_outgoing_address Hi, this is Kawai. Please let me send inquiry as followings. ### Requirement ### 1. Kerberos auth with Active Directory : auth_param ..... <- Success 2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail ### Inquiry ### 1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow. My understanding is correct? 2. If yes, how to solve my requirement? Please let me inform your comment and knowledge. Thanks in advance. ------------------------------------- h.ka...@ntt.com ------------------------------------- _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
