Topics

squid::acl does not support sourcing acl contents from files as SQUID does

sc.hechelmann@...
 

Hi there,

 

we ran into an issue with puppet-squid internally and wanted to share the fix with you.

 

puppet-squid seems to only allow specifying acl elements directly and seems to be missing
support for the 2nd form SQUID allows, to pull in acl contents from an external file.

 

Quoting from squid documentation (relvant parts marked):

#  TAG: acl

#       Defining an Access List

#

#       Every access list definition must begin with an aclname and acltype,

#       followed by either type-specific arguments or a quoted filename that

#       they are read from.

#

#          acl aclname acltype argument ...

#          acl aclname acltype "file" ...

#

#       When using "file", the file should contain one item per line.

 

The following patch enables the template used to support the present SQUID feature.

 

templates/squid.conf.acl.erb - acls with files need filename in double quotes (")

-          If “e” starts with “/” emit double quotes around “e”

 

diff templates/squid.conf.acl.erb.orig templates/squid.conf.acl.erb

--- templates/squid.conf.acl.erb.orig

+++ templates/squid.conf.acl.erb

@@ -1,5 +1,5 @@

# <%= @comment %>

<% @entries.sort.each do |e| -%>

-acl <%= @aclname %> <%= @type %> <%= e %>

+acl <%= @aclname %> <%= @type %> <%- if e.to_s.start_with?("/") -%>"<%- end -%><%= e %><%- if e.to_s.start_with?("/") -%>"<%- end -%> <% end -%>

 

Kind regards | Mit freundlichen Grüßen,

 

Christian Hechelmann

ATOS IT Solutions

for: IT/DT, IT-Sicherheit MCG/D

Mercedes Car Group/Development

 

Daimler AG, ITP/DT
IT-Sicherheit und Datenschutz RD / IT Security and Data Privacy RD
HPC 059/G083 - Hans-Klemm-Str.
5 - 71034 Böblingen

Phone +49-(0)70 31 90-8 41 80

Fax     +49-(0)70 31 90-8 41 11

 


If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

Ewoud Kohl van Wijngaarden
 

On Thu, Jul 02, 2020 at 04:27:51PM +0000, sc.hechelmann@... wrote:
Hi there,

we ran into an issue with puppet-squid internally and wanted to share the fix with you.

puppet-squid seems to only allow specifying acl elements directly and seems to be missing
support for the 2nd form SQUID allows, to pull in acl contents from an external file.

Quoting from squid documentation (relvant parts marked):
# TAG: acl
# Defining an Access List
#
# Every access list definition must begin with an aclname and acltype,
# followed by either type-specific arguments or a quoted filename that
# they are read from.
#
# acl aclname acltype argument ...
# acl aclname acltype "file" ...
#
# When using "file", the file should contain one item per line.

The following patch enables the template used to support the present SQUID feature.

templates/squid.conf.acl.erb - acls with files need filename in double quotes (")

- If "e" starts with "/" emit double quotes around "e"

diff templates/squid.conf.acl.erb.orig templates/squid.conf.acl.erb
--- templates/squid.conf.acl.erb.orig
+++ templates/squid.conf.acl.erb
@@ -1,5 +1,5 @@
# <%= @comment %>
<% @entries.sort.each do |e| -%>
-acl <%= @aclname %> <%= @type %> <%= e %>
+acl <%= @aclname %> <%= @type %> <%- if e.to_s.start_with?("/") -%>"<%- end -%><%= e %><%- if e.to_s.start_with?("/") -%>"<%- end -%> <% end -%>
Ths sounds valid but please submit this as a patch to Github
https://github.com/voxpupuli/puppet-squid

That way you get proper credit but it's also much easier to review for others.