Hi Alex,

In addition to using an external acl to annotate connections and decide whether 
splice/bump, I would like to try using an ecap service to achieve this.
I would like to create an acl using info from the ecap service, and bump/splice 
using the following configuration:

acl classifyRequest note splice yes

acl step1 at_step SslBump1
acl step2 at_step SslBump2

ssl_bump peek step1
ssl_bump splice step2 classifyRequest
ssl_bump stare all
ssl_bump bump all

If I set a custom option from within the ecap service, can i use that via the 
above note acl? Can i set a custom option without setting it in 
'adaptation_masterx_shared_names', as I already have another one there already, 
and it only supports one name?

Or, should I instead use:

acl classifyRequest note %adapt::<last_h{splice} yes

In this case should I set a custom header from within the ecap via: 
adapted->header().add, or use the visitEachOption() method?


From: Alex Rousskov <rouss...@measurement-factory.com>
Sent: Monday, June 14, 2021 16:24
To: squid-users@lists.squid-cache.org <squid-users@lists.squid-cache.org>
Cc: Frida Safran <fsaf...@proofpoint.com>
Subject: Re: [squid-users] Passing Proxy Protocol Headers to external ACL

On 6/14/21 2:29 AM, Frida Safran wrote:

> Regarding proxy_protocol - is there a known patch for v4 I could use by
> any chance?

I am not aware of any such patches. The changes were significant, fixing
many PROXY protocol handling bugs. Virtually anything can be backported,
but it would be a large effort with noticeable stability risks and
long-term maintenance overheads. Preparing for a v5 upgrade may be a
better strategy in this particular case.

> Regarding icap, I suppose the acl is getting evaluated before the icap
> and that is why they aren't available:

> acl classifyRequest external TransactionClassificator
> ssl_bump peek step1
> ssl_bump splice step2 classifyRequest
> ssl_bump stare all
> ssl_bump bump all

According to [1], the above configuration should result in two ICAP
REQMOD requests (if configured) before classifyRequest is consulted
during step2. I am aware of SslBump bugs in that area, but I would
expect at least one ICAP REQMOD request anyway. The requests
existence/timing should be easy to confirm using cache.log with
debug_options set to at least "ALL,3 82,9 93,9" and/or a logging or
pausing external ACL script in combination with an icap_log (to compare
logged timestamps).




> ------------------------------------------------------------------------
> *From:* Alex Rousskov <rouss...@measurement-factory.com>
> *Sent:* Sunday, June 13, 2021 17:46
> *To:* squid-users@lists.squid-cache.org <squid-users@lists.squid-cache.org>
> *Cc:* Frida Safran <fsaf...@proofpoint.com>
> *Subject:* Re: [squid-users] Passing Proxy Protocol Headers to external ACL
> On 6/13/21 7:31 AM, Frida Safran wrote:
>>  1. Is it possible to pass proxy protocol headers to an external acl as
>>     part of the format?
> It should be possible. Use %proxy_protocol::>h logformat %code in your
> external_acl_type FORMAT configuration. We added that support to Squid
> v5. Not available in the official v4.
>>  2. Is it possible to pass all/specific icap headers to an external acl?
>>     I have been trying to use %icap::>h to pass all the icap headers to
>>     an external acl, but it resolves to "-"
> It should be possible if your external ACL is evaluated _after_ the
> corresponding ICAP headers are received, but I would not be surprised if
> there are bugs in this area -- the ICAP headers may be available but not
>  provided to the ACL evaluation code. Which squid.conf directive is
> triggering your external ACL evaluation in this use case?
> HTH,
> Alex.

squid-users mailing list

Reply via email to