Re: [squid-users] request_header_access and external acl

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 13 Mar 2009 01:47:16 +1300

Tucker Cunningham wrote:
> Thanks for the reply, Amos. I'm on version 3.0.STABLE13. If I use the
> external acl with http_access, I've dumped the input to the helper
> program and seen that the cert info is being correctly passed in. The
> problem only seems to occur when using the external acl in conjunction
> with request_header_access. Does that sound like a manifestation of
> the same bug? The patch looks like it mostly addresses config file
> parsing, which seems to be working for me.
> Again, thanks for your help. I'm relatively new to working with squid,
> so just figuring out a lot of this stuff. One thing that may or may not
> be important is that I'm running an 'accel' server, not a conventional
> proxy. Not sure if it's important, but I guess some things work
> differently in this configuration.

I've found http_header_access is a "Fast" ACL type (result-or-fail).
external acl is a "Slow" type (result-or-lookup).

You will have to use the external ACL in one of the earlier access
controls that it works for and cache the result for use.

Amos

>
> -tucker
>
> Amos Jeffries wrote:
>>
>> > hello all -
>> > I've run into some trouble using the request_header_access directive
>> > with an external acl. A snippet of my config file is below:
>> >
>> > -----
>> > external_acl_type check_clientcert children=1 concurrency=0 ttl=3
>> > negative_ttl=3 %USER_CERT_CN /etc/squid3/helper.pl
>> > acl matches-clienttest-cert-name external check_clientcert
>> > clienttest-cert-name
>> >
>> > #http_access allow matches-clienttest-cert-name
>> > #http_access deny all
>> > request_header_access User-Agent deny matches-clienttest-cert-name
>> > ------
>> >
>> > If i uncomment the http_access lines, i am only granted access if i
>> > present the correct client certificate, so the external acl seems to be
>> > configured correctly. I also see lines like
>> >
>> > -----
>> > 2009/03/11 14:12:54.243| helperDispatch: Request sent to
>> > check_clientcert #1, 14 bytes
>> > 2009/03/11 14:12:54.243| helperSubmit: - clienttest-cert-name
>> > -----
>> >
>> > in the output of squid -X. However, when I run squid with the config
>> > file above, the User-Agent header is not removed, and I see no
>> > "helperDispatch" or "helperSubmit" in the log output. Can anyone shed
>> > some light on why external acls may not be invoked this way?
>> >
>> >
>> > Taking a step back, my larger goal is to run an https accelerator which
>> > accepts client-certificate authenticated requests and passes
>> information
>> > about the client cert to the origin server. My idea right now is to
>> put
>> > the client certificate CN into the User-Agent header, but if anyone has
>> > a better idea, my current solution seems pretty hacked together.
>> Thanks
>> > for your help.
>> >
>> > -tucker cunningham
>> >
>>
>> What version of Squid?
>>
>> 3.x has a small glitch parsing of CERT info.
>>
>> http://www.squid-cache.org/Versions/v3/3.1/changesets/b9429.patch
>>
>>
>>
>> Amos
>>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6
Received on Thu Mar 12 2009 - 12:46:40 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 12 2009 - 12:00:02 MDT