[squid-users] Antwort: Re: [squid-users] http_reply_access & LDAP external acl

Thu, 22 Apr 2004 05:53:07 -0700 

Thanks Henrik,

this seems to work. What exactly do you mean with "quite well (but not
100%)"?
Would you consider  this workaround fit for use in a production environment
(about 1000 users)?

Regards

Horst




                                                                                       
                            
                    Henrik                                                             
                            
                    Nordstrom            An:     [EMAIL PROTECTED]                     
                         
                    <[EMAIL PROTECTED]       Kopie:  [EMAIL PROTECTED]                 
                      
                    he.org>              Thema:  Re: [squid-users] http_reply_access & 
LDAP external acl           
                                                                                       
                            
                    21.04.2004                                                         
                            
                    18:09                                                              
                            
                                                                                       
                            
                                                                                       
                            




On Wed, 21 Apr 2004 [EMAIL PROTECTED] wrote:

> It seems like the problem only occurs in conjunction with the
> http_reply_access.
>
> Any ideas? (My current workaround is a script that reads the admins group
> from the LDAP-directory and writes the members into a file.  Told squid
to
> read the "admins" acl from the file instead of the LDAP-directory. That
> basically works but is not really elegant )


http_reply_access is somewhat limited in Squid-2.5 in that it cannot wait
for any form of external lookup to complete (external, dns etc).

You can work around this quite well (but not 100%) by making sure the same
acls is evaluated in http_access, allowing Squid to cache the result
before processing your http_reply_access rules. A simple method to have
acls evaluated in http_access without affecting the http_access outcome is
to use combine them with a dummy acl that will never match anything


acl nothing src 0.0.0.0/32

http_access deny acl_that_needs_to_be_evaluated nothing


somewhere before where access is allowed..

Regards
Henrik






Disclaimer

Diese E-Mail kann vertrauliche und/oder rechtlich gesch�tzte Informationen
enthalten. Wenn Sie nicht der beabsichtigte Empf�nger sind oder diese E-Mail
irrt�mlich erhalten haben, informieren Sie bitte sofort den Absender tele-
fonisch oder per E-Mail und l�schen Sie diese E-Mail aus Ihrem System. Das
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet. Wir haften nicht f�r die Unversehrtheit von E-Mails, nachdem sie
unseren Einflussbereich verlassen haben.

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error) please
notify the sender immediately by call or e-mail and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden. We are not responsible for the integrity of
e-mails after they have left our sphere of control.

Reply via email to