Hey, As Alex gave you the technical details.
At runtime of squid there is a sequence of events and acls validation. http_access is validated as a slow acl first long before tcp_outgoing_address is happening. If you will apply a "dummy" rule in the http_access like what Alex has suggested you would be able to make sure that when the tcp_outgoing_address validation happens a "pre-cooked"(this is how I call it) or a pre-determined session note will be "sticked" to the session details. This is a simplified: https://github.com/elico/vagrant-squid-outgoing-addresses/blob/master/shared/squid.conf#L14 squid.conf which includes the usage of a note from a helper that will always match like "all" should always be true (which is used in alex example). Let me know if it still doesn't make sense. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -----Original Message----- From: Hideyuki Kawai <h.ka...@ntt.com> Sent: Thursday, January 14, 2021 2:22 PM To: Eliezer Croitoru <ngtech1...@gmail.com> Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address Dear Eliezer Thank you for your reply. Could you let me ask you about your comment. "slow acl" can use in tcp_outgoing_address? Best regards, Kawai ------------------------------------- h.ka...@ntt.com ------------------------------------- -----Original Message----- From: Eliezer Croitoru <ngtech1...@gmail.com> Sent: Thursday, January 14, 2021 8:36 PM To: Hideyuki Kawai(川井秀行) <h.ka...@ntt.com> Cc: squid-dev@lists.squid-cache.org Subject: RE: [squid-dev] effective acl for tcp_outgoing_address It's more of an users question. Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision is "required" You can "pre-cook" the value of a specific note when the connection is only at the first http_access level. An example for a setup which does probably what you want based on htaccess passwords you can here: https://github.com/elico/vagrant-squid-outgoing-addresses It's a vagrant lab which demonstrate this. Let me know if it helps you or you need clarification. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1...@gmail.com Zoom: Coming soon -----Original Message----- From: squid-dev <squid-dev-boun...@lists.squid-cache.org> On Behalf Of Hideyuki Kawai Sent: Thursday, January 14, 2021 2:48 AM To: squid-dev@lists.squid-cache.org Subject: [squid-dev] effective acl for tcp_outgoing_address Hi, this is Kawai. Please let me send inquiry as followings. ### Requirement ### 1. Kerberos auth with Active Directory : auth_param ..... <- Success 2. "Security group" check which is gotten from AD : external_acl_type ...(using ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security group" : tcp_outgoing_address + external_acl <- fail ### Inquiry ### 1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type is slow. My understanding is correct? 2. If yes, how to solve my requirement? Please let me inform your comment and knowledge. Thanks in advance. ------------------------------------- h.ka...@ntt.com ------------------------------------- _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
