On Saturday 01 April 2006 15:02, Henrik Nordstrom wrote: > fre 2006-03-31 klockan 16:07 -0700 skrev Dmitry S. Makovey: > > 2006/03/31 15:58:44| aclMatchAcl: checking 'acl all src > > 1.1.1.1/255.255.255.255' > > What is this?? all should be defined as > > acl all src 0.0.0.0/0 > > NOT > > 1.1.1.1/32 I know - I was eliminating possibility of having odd masks etc. so I made "all" "very specific" so that it doesn't match my src IPs; using 0.0.0.0/0.0.0.0 has the same effect. > > 2006/03/31 15:58:44| aclCheckFast: list: 0x86bb3f0 > > 2006/03/31 15:58:44| aclMatchAclList: checking clients > > 2006/03/31 15:58:44| aclMatchAcl: checking 'acl clients src > > 192.168.1.0/255.255.255.0' > > 2006/03/31 15:58:44| aclMatchIp: '255.255.255.255' NOT found > > 2006/03/31 15:58:44| aclMatchAclList: no match, returning 0 > > 2006/03/31 15:58:44| aclCheckFast: no matches, returning: 0 > > 2006/03/31 15:58:44| aclCheckFast: list: 0x86bb468 > > 2006/03/31 15:58:44| aclMatchAclList: checking all > > 2006/03/31 15:58:44| aclMatchAcl: checking 'acl all src > > 1.1.1.1/255.255.255.255' > > 2006/03/31 15:58:44| aclMatchIp: '255.255.255.255' NOT found > > Unfortunately this does not tell which directive is being > processed. But it defenitly isn't http_access.. maybe > http_reply_access. What debug level and for which service should I bump to get info on which http_*access I'm dealing with? > Any specific reason (other than the odd definiton of "all") to why > you are using src acls in http_reply_access? Yes - it's a restrictive reverse proxy, or gateway if you wish - Machines are not allowed to do outbound connections themselves and all the outbound traffic is being filtered based on network machine belongs to and other criteria. Posted ruleset was just a beginning of what I intend to do but even as "simple" as it is it didn't work. -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245
Attachment:
pgpMiFctbNt4N.pgp
Description: PGP signature
