Hello,
I would like to add support for explicit OR ACLs:
# ACL name will match if and only if any of its acl* ACLs match.
# The first matching acl (left-to-right) stops evaluation.
acl name or acl1 acl2 ...
As you know, existing Squid ACL rules are meant to be functionally
complete: they can express any combination of logical conditions
expressed by individual ACLs. However, specifying the right combination
may require a very long and confusing configuration file.
I recently came across a real-world case where 20 reasonable http_access
access rules had to be converted into more than 100 rules just to add a
single "or the user does not need authentication" condition into the
"middle" of an existing rule set. The solution was so "big" and required
such a rewrite of the existing rules that the admin thought that it
would be impossible to support his needs using Squid ACLs!
If OR ACLs are supported, no drastic increase in http_access rules would
be required to solve the same problem.
Explicit OR (and AND) ACLs also allow an admin to group related ACLs of
different types together and name them. This can be used to simplify and
self-document configurations.
IIRC the subject of explicit OR ACL support has came up recently on one
of the squid-dev threads, and there were positive remarks about adding them.
Any objections to this new feature?
Thank you,
Alex.
P.S. I do _not_ plan to support grouping/parenthesis and explicit AND/OR
operations in ACL lists. For example, the following will _not_ be
supported by this project:
http_access deny foo and ( bar or baz )
However, if there is consensus that such support is needed, it can be
added by others using the proposed AND/OR ACLs. Those ACLs would just
have to be created automatically rather than being explicitly named by
the admin.
Received on Mon Sep 24 2012 - 22:06:14 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 27 2012 - 12:00:18 MDT