[squid-users] rep_mime_type and external helpers

From: Gerard Eviston <[email protected]>
Date: Wed, 13 Nov 2002 19:03:09 +1000

Hi,

Squid-2.5.STABLE1.

My organisation needs to regulate both internet access and binary downloads.
Authentication is NTLM and then LDAP group membership is checked. A member of
the internet-access group can get most places, and a member of the
internet-downloads group can get EXEs and other nasties. Previously downloads
were controlled with regexes but using rep_mime_type acls seems much better
suited to the task.

My problem: In short, I can't use ldap groups to grant/deny access to certain
MIME types.

It seems external acl helpers which take username as an argument must be of
type %LOGIN. A side effect is that require_auth is set and therefore an
authentication check is performed before the external helper is called. Since
I'm doing a http_*reply*_access check for the MIME type, it fails
(understandably) with a "no connection data" message in the cache log.

             } else if (strcmp(token, "%LOGIN") == 0) {
                 format->type = EXT_ACL_LOGIN;
                 a->require_auth = 1;

But adding a custom type foobar seemed to work (external_acl.c)

            } else if (strcmp(token, "%FOOBAR") == 0) {
                format->type = EXT_ACL_LOGIN;
                a->require_auth = 0;

Is there a simpler solution?

Is it sensible to use external helpers on reply checks? Side effects?

Has anyone else been down this road?

TIA
Gerard
Received on Wed Nov 13 2002 - 02:04:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:18 MST