Using $|=1 in real life, for squidGuard

In a previous minipost I mentioned Perl’s $|=1 ‘autoflush output’ option, which autoflushes all output. This is relevant in IPC more than in interactive scripts (these are USUALLY autoflushed, although any threaded program will show you differently).

In the Squid configuration at a local firewall where authpf is used, the system does not only filter connections per-user (which is authpf’s job), but it also authenticates them to squid via authpf. The relevant configuration lines in /etc/squid/squid.conf are:

# next line needed to read the /var/authpf directory
cache_effective_group authpf 
external_acl_type check_authpf children=15 %SRC /usr/local/bin/
acl authpf external check_authpf

They tell Squid to get the IP’s (%SRC) user’s identity using the mentioned script (which gets %SRC as first argument).
The script must flush all the responses, as Squid cannot be left waiting for the anwer. It looks more or less like (this is obviously an excerpt):

$ cat < /usr/local/bin/
#!/usr/bin/perl -w
$| = 1;
    chomp ;
    open IPFILE, "&lt/var/authpf/$_" or do {
        # no authpf file => unauthenticated http query
        print "ERR\n";
        next IP;
    my $user;
    $user = ;
    if (#user is ok...) {
        print "OK user=$user\n";
    } else {
        print "ERR\n";
    close IPFILE;
exit 1;

It simply checks if, for a received IP, there is an authpf authenticated user from that IP. If there is (and some conditions hold) then he is OK‘ed for Squid, otherwise, he is ERR‘ed. The OK includes, as you see, the username (this is useful for showing customized error or information messages).

speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*Required Fields