This work aims at implementing a extensible external acl scheme for squid,
driven by helpers.
Note: This project has been finished, and is now part of the mainline Squid sources
since Squid 2.5.STABLE1. Because of this these pages is no longer actively
updated and may differ slightly from the functionality found in Squid. The authorative source for configuration syntax etc is the squid.conf.default documentation. These pages is kept for a while as historic reference.
This to allow implementation of
- by querying if this user belongs to a given group
- Complex authorization checks
- by combining for example userid + IP, and make sure the user is using his assigned IP address.
- and many more
- Basig guidelines by which this is designed
- Description of the configuration syntax
Available helpers using the interface
- ident lookups
- The external_acl_fuzzy patch includes a ident lookup helper. Together with the patch this provides the capability of per source-IP ident lookups.
- check_ncp_group by Vincent Gardien
- Check belonging of Novell users in Novell specified groups using the NCP stack provided by ncptools.This works with true Novell servers 4.x and 5.x with and
without IPX support.
- wbinfo_group by Jerry Murdock
- LDAP Group by MARA Systems AB
- Allows you to control users access based on LDAP group memberships
- check_group by Rodrigo Campos.
- Allows you to control users access based on UNIX group memberships
- ip_user by Rodrigo Campos.
- Allows you to restrict users to their specific IP addresses based on a simple file listing the users and their IP address/network.
- 2004-03-20 external_acl_fuzzy patch
- The external_acl_fuzzy patch has been published. This patch adds the capability to cache external acl lookups at higher levels only using part of the lookup data, and also adds a number of new format directives for matching local/remote port numbers etc. The new format directives are already available in Squid-3.0, but the extended caching requires some additional work before it can get merged.
- ext_user acl type (Squid-3)
- ext_user/ext_user_regex acl types added to match username returned by external acl processing.
- 2003-05-29 overlapping requests (Squid-3)
- Support for overlapping requests added, where the helper can support multiple concurrent requests, compared to the single request at a time per helper process original design.
- 2003-05-20 tagging of requests (Squid-3)
- Concept or request tagging introduced, where external acls may tag requests with information later used in other acl elements, allowing more expressive matches than just "true/false".
- 2003-02-27 %LOGIN fixed
- %LOGIN fixed to require authentication if the user is not yet authenticated
- 2002-12-09 SSL related directives added (Squid-3)
- Format directives for matching SSL certificate information has been added
- 2002-09-07 Quoting of helper arguments
- squid.conf parser fixed to allow quoting of helper arguments
- 2002-08-21 %PATH directive (Squid-3)
- Andrew Wansink implemented a %PATH directive for accessing the urlpath component from external_acl. This was intentionally left out from the original design in favor for the redirector interface, but Andrew convinced us there is good reasons for having this in external_acl.
- 2002-07-11 helper for Novell group validations
- Vincent Gardien has published a small external_acl helper check_ncp_group to verify Novell group memberships using the ncptools package.
- 2002-07-05 wbinfo_group helper added to the Squid distribution
- The wbinfo_group helper by Jerry Murdock has been added to the development version of Squid. Can be found in the directory helpers/external_acl.
- 2002-07-04 winbind group helper by Jerry Murdock
- Jerry Murdock posted a Perl wrapper around the winbind wbinfo command for Windows NT group lookups on squid-users.
- 2002-06-23 helpers added to the Squid distribution
- The ip_user, ldap_group and unix_group helpers have been added to the development version of Squid. Can be found in the directory helpers/external_acl.
- 2002-06-23 squid_ldap_match helper
- MARA Systems AB, Sweden has published their helper for LDAP group membership checks
- 2002-06-23 Project completed
- The external_acl patch is now fully completed and tested and has been merged into Squid-2.5 and later.
- 2002-04-26 ip_user helper
- Rodrigo Campos has written yet another external_acl helper to base access controls on IP and user.
- 2002-04-18 UNIX group check helper available
- Rodrigo Campos has written a external_acl helper to base access controls on UNIX group membership.
- 2001-12-02 Opimization of parallell lookups
- Multiple identical parallell lookups are now collapsed into one call to the helper. This to avoid helper request storms when a highly used entry expires and the lookup takes a while to complete.
- 2001-12-01 Bugfixing
- Option processing, and some memory leaks
- 2001-11-30 Cleanup
- The configuration directives have been collapsed into one with a couple of optional options. The result cache can now be limited in size.
- 2001-11-17 Some bug fixes
- Was leaking a bit of memory. Adjusted logging to normal levels.
- 2001-11-17 List header members
- Support for list header members have beein implemented
- 2001-07-17 Statistics added
- Statistics has been added, and it now also manages queue overload more gracefully
- 2001-07-18 Implementation completed
- The implementation has been completed
- 2001-07-18 Draft implementation tested
- Most aspects of the draft implementation has now been tested
- 2001-07-17 Draft implementation
- All features except for the actual external lookup has been implemented. This includes; parser, query formatter, ACL interface, status cache.
- 2001-07-16 Parser
- The configuration parser has been completed
- 2001-07-12 Configuration format
- Configuration format have been defined
- 2001-07-12 Documentation
- Initial documentation written
- Fyzzy matches
- Add support for "fuzzy" cache matches. If the helper finds that the result is not dependent on all supplied arguments then allow the helper to indicate which arguments are needed and cache on these alone.
- Soft ttl
- To avoid having to wait for the acl lookup to complete each time the ttl expires, use a soft ttl where cached acls are refreshed before they expire without having to wait for the result.
- %SRC_DOMAIN not supported
- Originally it was planned to include a %SRC_DOMAIN format type, but this has been dropped due to time constraints. Can easily be added later.
- %ACL not supported
- Originally it was planned to include a %ACL format type, expanding into the referencing acl name. However, this information is not readily accessible in the acl match routine. If %ACL is needed then it may be possible to work around this API limitation by using the AclMatchedName hack.
$Id: index.html,v 1.29 2004/03/19 23:07:54 hno Exp $