Utilizando external_acl_type no Squid

Exemplo de como utilizar uma external_acl_type. external_acl_type é um programa externo para verificar uma url externae classifica-la como permitida ou negada.

Este programa será executado uma única vez, onde este fica esperando os parametros e retornando OK ou ERR, de acordo com a necessidade.

Ele pode ser utilizado para diversos fins, quando você encontrar limitações nas regras internas do squid.

Exemplo:

#!/usr/bin/perl -w
$|=1;           # no buffering???
open(STDERR, ">/tmp/external_acl.log");
select(STDERR); $| = 1;     # make unbuffered
select(STDOUT); $| = 1;     # make unbuffered
print STDERR "INI: $$\n\n";;

use MIME::Base64 ();
while (<>) {
	print STDERR "<--- $_\n\n";;
	chop;
	($u) = split;
	#$u = MIME::Base64::decode($u);
	$ans = &check($u);
	print "$ans",$u,"\n";
}

sub check {
	local($u) = @_;
	return 'OK user=';
}

external_acl_type	external_prg	%SRC %LOGIN %{Host} %{Cookie}	/home/www/cgi-bin/external_acl.pl
acl rule_1 external external_prg
acl rule_2		url_regex	http://evandro.net/
http_access		allow		rule_1 rule_2

TAG NAME

external_acl_type

Description

This tag defines external acl classes using a helper program to look up the status

Build Option

Default

Usage

external_acl_type name [options] FORMAT.. path/helper [helper arguments..]

Default

none

Synopsis
This tag defines how the external acl classes using a helper program should look up the status.

Arguments

name	External acl type name
path	Path to the external helper program
helper	Helper program

Options:

ttl=n	TTL in seconds for cached results (defaults to 3600 for 1 hour)
negative_ttl=n	TTL for cached negative lookups (default same as ttl)
children=n	Number of acl helper processes spawn to service external acl lookups of this type.
concurrency=n	concurrency level per process. Use 0 for old style helpers who can only process a single request at a time.
cache=n	result cache size, 0 is unbounded (default)
grace=n	Percentage remaining of TTL where a refresh of a cached entry should be initiated without needing to wait for a new reply. (default 0 for no grace period)

FORMAT specifications:

%LOGIN	Authenticated user login name
%IDENT	Ident user name
%SRC	Client IP
%SRCPORT	Client source port
%DST	Requested host
%PROTO	Requested protocol
%PORT	Requested port
%PATH	Requested URL path
%METHOD	Request method
%MYADDR	Squid interface address
%MYPORT	Squid http_port number
%USER_CERT_xx	SSL User certificate attribute xx
%USER_CA_xx	SSL User certificate CA attribute xx
%{Header}	HTTP request header
%{Hdr:member}	HTTP request header list member
%{Hdr:;member}	HTTP request header list member using ; as list separator. ; can be any non-alphanumeric character.

In addition, any string specified in the referencing acl will also be included in the helper request line, after the specified formats (see the "acl external" directive)

The helper receives lines per the above format specification, and returns lines starting with OK or ERR indicating the validity of the request and optionally followed by additional keywords with more details.

General result syntax: OK/ERR keyword=value ...

Defined Keywords
user=	The users name (login)
password=	The users password (for login= cache_peer option)
message=	Message describing the reason. Available as %o in error pages
tag=	Apply a tag to a request (for both ERR and OK results) Only sets a tag, does not alter existing tags.
log=	String to be logged in access.log. Available as %ea in logformat specifications

Keyword values need to be enclosed in quotes if they may contain whitespace, or the whitespace escaped using \. Any quotes or \ characters within the keyword value must be \ escaped.

Example(s)

auth_param basic program < put your authenticator here >

auth_param basic children 20

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 1800 seconds

external_acl_type checkip children = 20 %LOGIN %SRC /usr/local/Squid/bin/checkip.pl

acl password external checkip

acl it src 172.16.20.1-172.16.20.199/255.255.255.255

http_access allow it password

Allows user if user belongs to a group that is allowed during a given time and using a given ip

Add Favorites / Bookmark

importar no delicious