Re: debugging ACLs

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

paul cooper wrote:
> so ive tried to simplify this to see if i can work out whats going on
>
> squid 2.6.17  on gentoo linux
>
>
> /etc/squid/ip_user.conf
> 127.0.0.1	ALL
>
> /etc/squid/squid.conf
> hepworth andrew # grep ^[a-z] /etc/squid/squid.conf
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 1 hours
> auth_param basic casesensitive off
> external_acl_type ip_user_helper %SRC %LOGIN
> /usr/libexec/squid/ip_user_check  -f /etc/squid/ip_user.conf
> acl all src 0.0.0.0/0.0.0.0
> acl hepworth external ip_user_helper
> http_access allow hepworth
> http_access deny all
> icp_access allow all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log squid
> debug_options ALL,1  33,2 28,9
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> visible_hostname AnnesHouse
> forwarded_for off
> coredump_dir /var/cache/squid
> hepworth andrew #
>
> and i use a browser to get http://www.bbc.co.uk which -> cache access denied
>
>
> and this in cache.log
>
> 2008/03/19 21:37:16| aclCheckFast: list: 0x82a76f0
> 2008/03/19 21:37:16| aclMatchAclList: checking all
> 2008/03/19 21:37:16| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/19 21:37:16| aclMatchIp: '127.0.0.1' found
> 2008/03/19 21:37:16| aclMatchAclList: returning 1
> 2008/03/19 21:37:16| aclCheck: checking 'http_access allow hepworth'
> 2008/03/19 21:37:16| aclMatchAclList: checking hepworth
> 2008/03/19 21:37:16| aclMatchAcl: checking 'acl hepworth external
> ip_user_helper'
> 2008/03/19 21:37:16| aclMatchAcl: returning 0 sending authentication
> challenge.
> 2008/03/19 21:37:16| aclMatchAclList: no match, returning 0
> 2008/03/19 21:37:16| aclCheck: requiring Proxy Auth header.

checking for Proxy-Auth...:

> 2008/03/19 21:37:16| aclCheck: match found, returning 2

found the header (nothing about the headers content though)...

> 2008/03/19 21:37:16| aclCheckCallback: answer=2
> 2008/03/19 21:37:16| The request GET http://www.bbc.co.uk/ is DENIED,
> because it matched 'hepworth'

... the header content fails to match the ACL text.

> 2008/03/19 21:37:16| The reply for GET http://www.bbc.co.uk/ is ALLOWED,
> because it matched 'hepworth'

407 reply ('auth needed') gets sent out ok.

> it would appear to be authenticating the user ( ie ALL from 127.0.0.1)
> so  where is it denying the request ?

It looks to me like the authentication details are being found but do 
not match the ACL.

I think it may be related to the user-domain. Does the fix for bug 2172 
fix this?


Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.