Bug 42544 – Additional Squid acl types

Bug 42544 - Additional Squid acl types


Summary:	Additional Squid acl types

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Squid
Version:	UCS 4.4
Hardware:	amd64 Linux

Importance:	P5 enhancement with 1 vote (vote)
Target Milestone:	UCS 5.0-0-errata
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-09-30 13:00 CEST by Olivier Magloire
Modified:	2021-04-28 10:09 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017052521000491
Bug group (optional):	External feedback, Usability
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
squid diff (1.81 KB, patch) 2016-09-30 13:00 CEST, Olivier Magloire	Details \| Diff
diff_2 (1.79 KB, patch) 2016-09-30 16:39 CEST, Olivier Magloire	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Olivier Magloire 2016-09-30 13:00:15 CEST

Created attachment 8057 [details]
squid diff

While migrating from file based acl's to ucr variable based ones I noticed that at least three acl types are missing.

urlpath_regex
rep_mime_type
proxy_auth_regex

I extended /etc/univention/templates/files/etc/squid3/squid.conf accordingly, so that I can set these acl types as ucr variables.

See the attached diff.

Can you include this patch to the repository?

Comment 1 Olivier Magloire 2016-09-30 16:39:55 CEST

Created attachment 8059 [details]
diff_2

Comment 2 Olivier Magloire 2016-09-30 16:40:20 CEST

I also added the dst acl type, see the second diff (includes the previous diff which can be ignored).
There is no error handling for correct CIDR notation yet.

Additionally it would be nice if you could sort the parsed acl names in the squid.conf by name and human readable numbers.

Following extract should clarify my request.

acl useracl_dstdomain_i_4 dstdom_regex -i xxx
acl useracl_urlpath_i_15 urlpath_regex -i xxx
acl useracl_dstdomain_i_8 dstdom_regex -i xxx
acl useracl_urlpath_i_7 urlpath_regex -i xxx
acl useracl_urlpath_i_33 urlpath_regex -i xxx
acl useracl_urlpath_i_10 urlpath_regex -i xxx
acl useracl_urlpath_i_25 urlpath_regex -i xxx
acl useracl_dstdomain_i_5 dstdom_regex -i xxx
acl useracl_urlpath_i_28 urlpath_regex -i xxx
acl useracl_urlpath_i_13 urlpath_regex -i xxx
acl useracl_dstdomain_i_1 dstdom_regex -i xxx

Comment 3 Michael Grandjean

2017-05-26 00:22:36 CEST

We should really expand the accepted ACL elements. In a customer scenario we need 'src' and 'arp' to whitelist certain clients.

Comment 4 Florian Best

2017-06-28 14:52:44 CEST

There is a Customer ID set so I set the flag "Enterprise Customer affected".

Comment 5 Michael Grandjean

2018-04-27 15:39:01 CEST

Another customer needs this, too.
The "src" acl type is especially handy to exclude certain clients or networks from authentication (think unjoined or administrative clients).

Workaround: write custom ACLs und rules to /etc/squid3/local_rules.conf

Comment 6 Olivier Magloire 2018-07-31 11:00:11 CEST

https://github.com/univention/univention-corporate-server/pull/8

Comment 7 Florian Best

2019-08-07 15:18:42 CEST

@Ingo:
The author of the Pull Request asked "when will this be merged?"

Comment 8 Ingo Steuwer

2019-08-08 12:32:31 CEST

(In reply to Florian Best from comment #7)
> @Ingo:
> The author of the Pull Request asked "when will this be merged?"

It is in the Product Backlog. I expect that we will review the patch in August, but can't guarantee.

Comment 9 Philipp Hahn

2020-07-03 12:28:47 CEST

The bug is 4 years old by now and already contained an initial diff.
There still is this open PR for 2 years by now.