Squid external acl scheme

This work aims at implementing a extensible external acl scheme for squid, driven by helpers.

Note: This project has been finished, and is now part of the mainline Squid sources since Squid 2.5.STABLE1. Because of this these pages is no longer actively updated and may differ slightly from the functionality found in Squid. The authorative source for configuration syntax etc is the squid.conf.default documentation. These pages is kept for a while as historic reference.

This to allow implementation of

by querying if this user belongs to a given group
Complex authorization checks
by combining for example userid + IP, and make sure the user is using his assigned IP address.
and many more


Basig guidelines by which this is designed
Description of the configuration syntax

Available helpers using the interface

ident lookups
The external_acl_fuzzy patch includes a ident lookup helper. Together with the patch this provides the capability of per source-IP ident lookups.
check_ncp_group by Vincent Gardien
Check belonging of Novell users in Novell specified groups using the NCP stack provided by ncptools.This works with true Novell servers 4.x and 5.x with and without IPX support.
wbinfo_group by Jerry Murdock
LDAP Group by MARA Systems AB
Allows you to control users access based on LDAP group memberships
check_group by Rodrigo Campos.
Allows you to control users access based on UNIX group memberships
ip_user by Rodrigo Campos.
Allows you to restrict users to their specific IP addresses based on a simple file listing the users and their IP address/network.


2004-03-20 external_acl_fuzzy patch
The external_acl_fuzzy patch has been published. This patch adds the capability to cache external acl lookups at higher levels only using part of the lookup data, and also adds a number of new format directives for matching local/remote port numbers etc. The new format directives are already available in Squid-3.0, but the extended caching requires some additional work before it can get merged.
ext_user acl type (Squid-3)
ext_user/ext_user_regex acl types added to match username returned by external acl processing.
2003-05-29 overlapping requests (Squid-3)
Support for overlapping requests added, where the helper can support multiple concurrent requests, compared to the single request at a time per helper process original design.
2003-05-20 tagging of requests (Squid-3)
Concept or request tagging introduced, where external acls may tag requests with information later used in other acl elements, allowing more expressive matches than just "true/false".
2003-02-27 %LOGIN fixed
%LOGIN fixed to require authentication if the user is not yet authenticated
2002-12-09 SSL related directives added (Squid-3)
Format directives for matching SSL certificate information has been added
2002-09-07 Quoting of helper arguments
squid.conf parser fixed to allow quoting of helper arguments
2002-08-21 %PATH directive (Squid-3)
Andrew Wansink implemented a %PATH directive for accessing the urlpath component from external_acl. This was intentionally left out from the original design in favor for the redirector interface, but Andrew convinced us there is good reasons for having this in external_acl.
2002-07-11 helper for Novell group validations
Vincent Gardien has published a small external_acl helper check_ncp_group to verify Novell group memberships using the ncptools package.
2002-07-05 wbinfo_group helper added to the Squid distribution
The wbinfo_group helper by Jerry Murdock has been added to the development version of Squid. Can be found in the directory helpers/external_acl.
2002-07-04 winbind group helper by Jerry Murdock
Jerry Murdock posted a Perl wrapper around the winbind wbinfo command for Windows NT group lookups on squid-users.
2002-06-23 helpers added to the Squid distribution
The ip_user, ldap_group and unix_group helpers have been added to the development version of Squid. Can be found in the directory helpers/external_acl.
2002-06-23 squid_ldap_match helper
MARA Systems AB, Sweden has published their helper for LDAP group membership checks
2002-06-23 Project completed
The external_acl patch is now fully completed and tested and has been merged into Squid-2.5 and later.
2002-04-26 ip_user helper
Rodrigo Campos has written yet another external_acl helper to base access controls on IP and user.
2002-04-18 UNIX group check helper available
Rodrigo Campos has written a external_acl helper to base access controls on UNIX group membership.
2001-12-02 Opimization of parallell lookups
Multiple identical parallell lookups are now collapsed into one call to the helper. This to avoid helper request storms when a highly used entry expires and the lookup takes a while to complete.
2001-12-01 Bugfixing
Option processing, and some memory leaks
2001-11-30 Cleanup
The configuration directives have been collapsed into one with a couple of optional options. The result cache can now be limited in size.
2001-11-17 Some bug fixes
Was leaking a bit of memory. Adjusted logging to normal levels.
2001-11-17 List header members
Support for list header members have beein implemented
2001-07-17 Statistics added
Statistics has been added, and it now also manages queue overload more gracefully
2001-07-18 Implementation completed
The implementation has been completed
2001-07-18 Draft implementation tested
Most aspects of the draft implementation has now been tested
2001-07-17 Draft implementation
All features except for the actual external lookup has been implemented. This includes; parser, query formatter, ACL interface, status cache.
2001-07-16 Parser
The configuration parser has been completed
2001-07-12 Configuration format
Configuration format have been defined
2001-07-12 Documentation
Initial documentation written

To do

Fyzzy matches
Add support for "fuzzy" cache matches. If the helper finds that the result is not dependent on all supplied arguments then allow the helper to indicate which arguments are needed and cache on these alone.
Soft ttl
To avoid having to wait for the acl lookup to complete each time the ttl expires, use a soft ttl where cached acls are refreshed before they expire without having to wait for the result.

Known issues

%SRC_DOMAIN not supported
Originally it was planned to include a %SRC_DOMAIN format type, but this has been dropped due to time constraints. Can easily be added later.
%ACL not supported
Originally it was planned to include a %ACL format type, expanding into the referencing acl name. However, this information is not readily accessible in the acl match routine. If %ACL is needed then it may be possible to work around this API limitation by using the AclMatchedName hack.

Squid Now! Cache Now! Valid HTML 4.0! SourceForge
$Id: index.html,v 1.29 2004/03/19 23:07:54 hno Exp $