TAG NAME external_acl_type

Description This tag defines external acl classes using a helper program to look up the status
Build Option
 Default
Usage
 external_acl_type name [options] FORMAT.. path/helper [helper arguments..]
Default
 none
Synopsis
This tag defines how the external acl classes using a helper program should look up the status.

Arguments

name
 External acl type name
path
 Path to the external helper program
helper
 Helper program

Options:

ttl=n
 TTL in seconds for cached results (defaults to 3600 for 1 hour)
negative_ttl=n
 TTL for cached negative lookups (default same as ttl)
children=n
 Number of acl helper processes spawn to service external acl lookups of this type.
concurrency=n
 concurrency level per process. Use 0 for old style helpers who can only process a single request at a time.
cache=n
 result cache size, 0 is unbounded (default)
grace=n
 Percentage remaining of TTL where a refresh of a cached entry should be initiated without needing to wait
for a new reply. (default 0 for no grace period)
protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers

FORMAT specifications:

%LOGIN Authenticated user login name
%IDENT Ident user name
%SRC Client IP
%SRCPORT Client source port
%DST Requested host
%PROTO Requested protocol
%PORT Requested port
%PATH Requested URL path
%METHOD Request method
%MYADDR Squid interface address
%MYPORT Squid http_port number
%USER_CERT SSL User certificate in PEM format
%USER_CERTCHAIN SSL User certificate chain in PEM format
%USER_CERT_xx
 SSL User certificate attribute xx
%USER_CA_xx SSL User certificate CA attribute xx
%{Header} HTTP request header
%{Hdr:member} HTTP request header list member
%{Hdr:;member} HTTP request header list member using ; as list separator. ; can be any non-alphanumeric character.
%ACL The ACL name
%DATA The ACL arguments.

In addition, any string specified in the referencing acl will also be included in the helper request line, after the specified formats (see the “acl external” directive)

The helper receives lines per the above format specification, and returns lines starting with OK or ERR indicating the validity of the request and optionally followed by additional keywords with more details.

If protocol=3.0 (the default) then URL escaping is used to protect each value in both requests and responses.

If using protocol=2.5 then all values need to be enclosed in quotes if they may contain whitespace, or the whitespace escaped using \. And quotes or \ characters within the keyword value must be \ escaped.
When using the concurrency= option the protocol is changed by introducing a query channel tag infront of the request/response. The query channel tag is a number between 0 and concurrency-1.

General result syntax: OK/ERR keyword=value …

Defined Keywords
user= The users name (login)
password= The users password (for login= cache_peer option)
message= Message describing the reason. Available as %o in error pages
log= String to be logged in access.log. Available as %ea in logformat specifications

Keyword values need to be enclosed in quotes if they may contain whitespace, or the whitespace escaped using \. Any quotes or \ characters within the keyword value must be \ escaped.

Example(s)

auth_param basic program < put your authenticator here >
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1800 seconds
external_acl_type checkip children = 20 %LOGIN %SRC /usr/local/Squid/bin/checkip.pl
acl password external checkip
acl it src 172.16.20.1-172.16.20.199/255.255.255.255
http_access allow it password

Allows user if user belongs to a group that is allowed during a given time and using a given ip