Squid configuration directive external_acl_type
Available in: 3.3 3.2 3.1 2.7 3.HEAD 2.HEAD 3.0 2.6
History:
- Changes in 3.3 external_acl_type
-
%ACL format tag not yet ported from 2.6
%DATA format tag not yet ported from 2.6
- Changes in 3.2 external_acl_type
-
New format tags and option parameters:
%SRCEUI48 EUI-48 / MAC address of client from ARP lookup.
%SRCEUI64 EUI-64 of clients with SLAAC address.
%EXT_LOG log= message returned by previous external ACL calls. An updated version may be returned.
%EXT_TAG tag= value returned by previous external ACL calls. Tag may not be altered once set.
children-max=N determines maximum number of helper processes used.
children-startup=N determines minimum number of helper processes used.
children-idle=N determines how many helper to retain as buffer against sudden traffic loads.
Deprecated children=N in favor of children-max=N.
- Changes in 3.1 external_acl_type
-
New options 'ipv4' and 'ipv6' are added to set the IPv4/v6 protocol between Squid and its helpers. Please be aware of some limits to these options. These options only affect the transport protocol used to send data to and from the helpers. Squid in IPv6-mode may still send %SRC addresses in IPv4 or IPv6 format, so all helpers will need to be checked and converted to cope with such information cleanly.
ipv4 / ipv6 IP protocol used to communicate with this helper. The default is to auto-detect IPv6 and use it when available.New header input format specifiers. To seperate Request and Reply headers when both passed back.
%>{Header} HTTP request header %>{Hdr:member} HTTP request header list member %>{Hdr:;member} HTTP request header list member using ; as list separator. ; can be any non-alphanumeric character. %<{Header} HTTP reply header %<{Hdr:member} HTTP reply header list member %<{Hdr:;member} HTTP reply header list member using ; as list separator. ; can be any non-alphanumeric character. %% The percent symbol (available from 3.1.17)
- Changes in 2.7 external_acl_type
-
New %URI format tag
- Changes in 3.HEAD external_acl_type
-
Deprecated protocol=3.0 option. No longer necessary.
New result code BH to signal helper internal errors
Details at http://wiki.squid-cache.org/Features/AddonHelpers.
- Changes in 3.0 external_acl_type
-
New format specifications:
%URI Requested URI %PATH Requested URL pathNew result keywords:
tag= Apply a tag to a request (for both ERR and OK results) Only sets a tag, does not alter existing tags.
- Changes in 2.6 external_acl_type
-
Many new format options %SRCPORT, %MYADDR, %MYPORT, %PATH, %USER_CERT, %ACL, %DATA and a few variants. Helper protocol defaults to the simpler "3.0" protocol, and there is support for a highly efficient protocol via the concurrency= option if supported by the helper.
Configuration Details:
| Option Name: | external_acl_type |
|---|---|
| Replaces: | |
| Requires: | |
| Default Value: | none |
| Suggested Config: |
|
This option defines external acl classes using a helper program
to look up the status
external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
Options:
ttl=n TTL in seconds for cached results (defaults to 3600
for 1 hour)
negative_ttl=n
TTL for cached negative lookups (default same
as ttl)
children-max=n
Maximum number of acl helper processes spawned to service
external acl lookups of this type. (default 20)
children-startup=n
Minimum number of acl helper processes to spawn during
startup and reconfigure to service external acl lookups
of this type. (default 0)
children-idle=n
Number of acl helper processes to keep ahead of traffic
loads. Squid will spawn this many at once whenever load
rises above the capabilities of existing processes.
Up to the value of children-max. (default 1)
concurrency=n concurrency level per process. Only used with helpers
capable of processing more than one query at a time.
cache=n limit the result cache size, default is unbounded.
grace=n Percentage remaining of TTL where a refresh of a
cached entry should be initiated without needing to
wait for a new reply. (default is for no grace period)
protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
ipv4 / ipv6 IP protocol used to communicate with this helper.
The default is to auto-detect IPv6 and use it when available.
FORMAT specifications
%LOGIN Authenticated user login name
%EXT_USER Username from previous external acl
%EXT_LOG Log details from previous external acl
%EXT_TAG Tag from previous external acl
%IDENT Ident user name
%SRC Client IP
%SRCPORT Client source port
%URI Requested URI
%DST Requested host
%PROTO Requested protocol
%PORT Requested port
%PATH Requested URL path
%METHOD Request method
%MYADDR Squid interface address
%MYPORT Squid http_port number
%PATH Requested URL-path (including query-string if any)
%USER_CERT SSL User certificate in PEM format
%USER_CERTCHAIN SSL User certificate chain in PEM format
%USER_CERT_xx SSL User certificate subject attribute xx
%USER_CA_xx SSL User certificate issuer attribute xx
%>{Header} HTTP request header "Header"
%>{Hdr:member}
HTTP request header "Hdr" list member "member"
%>{Hdr:;member}
HTTP request header list member using ; as
list separator. ; can be any non-alphanumeric
character.
%<{Header} HTTP reply header "Header"
%<{Hdr:member}
HTTP reply header "Hdr" list member "member"
%<{Hdr:;member}
HTTP reply header list member using ; as
list separator. ; can be any non-alphanumeric
character.
%% The percent sign. Useful for helpers which need
an unchanging input format.
In addition to the above, any string specified in the referencing
acl will also be included in the helper request line, after the
specified formats (see the "acl external" directive)
The helper receives lines per the above format specification,
and returns lines starting with OK or ERR indicating the validity
of the request and optionally followed by additional keywords with
more details.
General result syntax:
OK/ERR keyword=value ...
Defined keywords:
user= The users name (login)
password= The users password (for login= cache_peer option)
message= Message describing the reason. Available as %o
in error pages
tag= Apply a tag to a request (for both ERR and OK results)
Only sets a tag, does not alter existing tags.
log= String to be logged in access.log. Available as
%ea in logformat specifications
If protocol=3.0 (the default) then URL escaping is used to protect
each value in both requests and responses.
If using protocol=2.5 then all values need to be enclosed in quotes
if they may contain whitespace, or the whitespace escaped using \.
And quotes or \ characters within the keyword value must be \ escaped.
When using the concurrency= option the protocol is changed by
introducing a query channel tag infront of the request/response.
The query channel tag is a number between 0 and concurrency-1.
|
|
Search
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Help Out or Donate
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
Miscellaneous
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork