<div dir="ltr">Hello, Amos,<br><br>Thanks for the information.<br><br><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">Can</span><span style="white-space-collapse: preserve;"> you </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">also</span><span style="white-space-collapse: preserve;"> </span><span class="gmail-YPkS7KbdpWfGdYKd3QB9" style="white-space-collapse: preserve;">tell</span><span style="white-space-collapse: preserve;"> me</span>: <br>1. Is it possible to use a macro in the <font face="monospace">annotate_client</font> ACL to copy HTTP request notes to a TCP connection? Something like:<br> <font face="monospace"> acl annotate_groups annotate_client groups=%{group}note</font><br> <br>2. How do you think, should we process the "<font face="monospace">group</font>" attribute at the connection state level as we do with the "<font face="monospace">clt_conn_tag</font>"? I think this can be easily implemented in the <font face="monospace">UpdateRequestNotes()</font> function (<font face="monospace">src/HttpRequest.cc</font>) by simply copying and pasting a few lines of code:<div><font face="monospace">void<br>UpdateRequestNotes(ConnStateData *csd, HttpRequest &request, NotePairs const &helperNotes)<br>{<br> // Tag client connection if the helper responded with clt_conn_tag=tag or group=groups.<br> const char *cltTag = "clt_conn_tag";<br> if (const char *connTag = helperNotes.findFirst(cltTag)) {<br> if (csd) {<br> csd->notes()->remove(cltTag);<br> csd->notes()->add(cltTag, connTag);<br> }<br> }<br> const char *group = "group";<br> if (const char *hlprGroup = helperNotes.findFirst(group)) {<br> if (csd) {<br> csd->notes()->remove(group);<br> csd->notes()->add(group, hlprGroup);<br> }<br> }<br> request.notes()->replaceOrAdd(&helperNotes);<br>}</font></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">вт, 3 мар. 2026 г. в 16:02, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 04/03/2026 01:06, Andrey K wrote:<br>
> Hello,<br>
> <br>
> I use negotiate_kerberos_auth helper and it sets the AD groups list in a <br>
> group annotation attribute.<br>
> It works well, but thisattributeis not availableinthe <br>
> subsequentrequestsinan ssl-bumpedconnection (it is available only in the <br>
> first CONNECT request).<br>
> Is it possible to make this attribute persistent in the current SSL <br>
> connection? I would like to use groups from this attribute to authorize <br>
> users using only "note"-type ACLs, no external helpers involved.<br>
<br>
Unfortunately Squid does not yet support ACLs using details directly <br>
from the tunnel's "parent" CONNECT transaction.<br>
<br>
You can use the annotate_client ACL type to mark the from-client TCP <br>
connection instead of the HTTP request. Just be aware these need to be <br>
manually configured and thus does not scale to large number of groups.<br>
<br>
HTH<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>