RFC: ACL ordering defaults for deny

[warrenpnz]

This is more a request for comment than an issue, but when defining ACLS, I found that I needed to specify an order for the denys to order them correctly. If this was defaulted in code to a higher priority such as below, then we could get away with the defaults. Thoughts?

define squid::http_access (
  $action = 'allow',
  $value  = $title,
  $order   = undef,
) {

  validate_re($action,['^allow$','^deny$'])
  validate_string($value)

  if !$order and $action == 'allow') {
    $fragorder = '05'    
  } else {
    $fragorder = '75'
  }

  concat::fragment{"squid_http_access_${value}":
    target  => $squid::config,
    content => template('squid/squid.conf.http_access.erb'),
    order   => "20-${fragorder}-${action}",
  }

}

[matonb]

How about something along these lines:

define squid::acl (
  Boolean $allow_first = true,
  String $type,
  String $aclname = $title,
  Array  $entries = [],
  String $order   = '05',
  String $comment = "acl fragment for ${aclname}",
) {

  $priority = ($allow_first and $type=='allow') ? {
    true      => '000',
    default => '200',
  }
  concat::fragment{"squid_acl_${aclname}":
    target  => $::squid::config,
    content => template('squid/squid.conf.acl.erb'),
    order   => "10-${priority}-${order}-${type}",
  }

}

Although allow_first should probably be defined in init.pp / params.pp or you could make a right mess by changing it each time squid::acl was called

[ekohl]

Something like this makes sense. I know it's been a while but would you be interested in writing up a PR for this?

[matonb]

I could, just not sure when I'll get to it though.
@warrenpnz happy to step back if you want to pick this up

[traylenator]

So currently the order => "10-${order}-${type_cleaned}"

So allows allways come before denys? Is that not the case? That was the intentions for sure.

Steve.

[hdep]

Hi,

I have the same issue.
I need to set http_access deny to_localhost before allow.

Any news on this?