[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-dev
Subject: Re: [squid-dev] effective acl for tcp_outgoing_address
From: "Eliezer Croitoru" <ngtech1ltd () gmail ! com>
Date: 2021-01-21 8:42:19
Message-ID: 002801d6efd1$54dfe150$fe9fa3f0$ () gmail ! com
[Download RAW message or body]
Hey,
As Alex gave you the technical details.
At runtime of squid there is a sequence of events and acls validation.
http_access is validated as a slow acl first long before tcp_outgoing_address is \
happening. If you will apply a "dummy" rule in the http_access like what Alex has \
suggested you would be able to make sure that when the tcp_outgoing_address \
validation happens a "pre-cooked"(this is how I call it) or a pre-determined session \
note will be "sticked" to the session details.
This is a simplified:
https://github.com/elico/vagrant-squid-outgoing-addresses/blob/master/shared/squid.conf#L14
squid.conf which includes the usage of a note from a helper that will always match \
like "all" should always be true (which is used in alex example).
Let me know if it still doesn't make sense.
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@gmail.com
Zoom: Coming soon
-----Original Message-----
From: Hideyuki Kawai <h.kawai@ntt.com>
Sent: Thursday, January 14, 2021 2:22 PM
To: Eliezer Croitoru <ngtech1ltd@gmail.com>
Cc: squid-dev@lists.squid-cache.org
Subject: RE: [squid-dev] effective acl for tcp_outgoing_address
Dear Eliezer
Thank you for your reply.
Could you let me ask you about your comment.
"slow acl" can use in tcp_outgoing_address?
Best regards,
Kawai
-------------------------------------
h.kawai@ntt.com
-------------------------------------
-----Original Message-----
From: Eliezer Croitoru <ngtech1ltd@gmail.com>
Sent: Thursday, January 14, 2021 8:36 PM
To: Hideyuki Kawai(川井秀行) <h.kawai@ntt.com>
Cc: squid-dev@lists.squid-cache.org
Subject: RE: [squid-dev] effective acl for tcp_outgoing_address
It's more of an users question.
Just to clear it out, the tcp_outgoing_address is a fast acl just when the decision \
is "required" You can "pre-cook" the value of a specific note when the connection is \
only at the first http_access level. An example for a setup which does probably what \
you want based on htaccess passwords you can here: \
https://github.com/elico/vagrant-squid-outgoing-addresses
It's a vagrant lab which demonstrate this.
Let me know if it helps you or you need clarification.
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@gmail.com
Zoom: Coming soon
-----Original Message-----
From: squid-dev <squid-dev-bounces@lists.squid-cache.org> On Behalf Of Hideyuki Kawai
Sent: Thursday, January 14, 2021 2:48 AM
To: squid-dev@lists.squid-cache.org
Subject: [squid-dev] effective acl for tcp_outgoing_address
Hi, this is Kawai.
Please let me send inquiry as followings.
### Requirement ###
1. Kerberos auth with Active Directory : auth_param ..... <- Success
2. "Security group" check which is gotten from AD : external_acl_type ...(using \
ext_kerberos_ldap_group_acl) <- success 3. Different outgoing IP based on "Security \
group" : tcp_outgoing_address + external_acl <- fail
### Inquiry ###
1. "external_acl" can not use on tcp_outgoing_address. Because the external_acl type \
is slow. My understanding is correct?
2. If yes, how to solve my requirement?
Please let me inform your comment and knowledge.
Thanks in advance.
-------------------------------------
h.kawai@ntt.com
-------------------------------------
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic