Re: ACLs and localhost

"paul cooper" <pdcooper@xxxxxxxxxxxxxxxx> · Mon, 31 Mar 2008 22:13:16 +0100 (BST)

this is my config
hepworth squid # grep ^acl /etc/squid/squid.conf
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80 # http
<snip>
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl andrew proxy_auth
acl emma proxy_auth
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl testing  time MTWHF 07:30-08:00
hepworth squid # grep ^http_access /etc/squid/squid.conf
http_access deny  !Safe_ports
http_access allow emma testing
http_access allow andrew  localhost
http_access deny all
hepworth squid #

and logging in as andrew denies a poage with this
2008/03/31 20:56:37| Starting Squid Cache version 2.6.STABLE17 for
i686-pc-linux-gnu...
2008/03/31 20:56:37| Process ID 8806
2008/03/31 20:56:37| With 1024 file descriptors available
2008/03/31 20:56:37| Using epoll for the IO loop
2008/03/31 20:56:37| DNS Socket created at 0.0.0.0, port 32780, FD 6
2008/03/31 20:56:37| Adding domain home.nw from /etc/resolv.conf
2008/03/31 20:56:37| Adding nameserver 192.168.0.254 from /etc/resolv.conf
2008/03/31 20:56:37| helperOpenServers: Starting 5 'ncsa_auth' processes
2008/03/31 20:56:38| User-Agent logging is disabled.
2008/03/31 20:56:38| Referer logging is disabled.
2008/03/31 20:56:38| Unlinkd pipe opened on FD 17
2008/03/31 20:56:38| Swap maxSize 102400 KB, estimated 7876 objects
2008/03/31 20:56:38| Target number of buckets: 393
2008/03/31 20:56:38| Using 8192 Store buckets
2008/03/31 20:56:38| Max Mem  size: 8192 KB
2008/03/31 20:56:38| Max Swap size: 102400 KB
2008/03/31 20:56:38| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2008/03/31 20:56:38| Rebuilding storage in /var/cache/squid (CLEAN)
2008/03/31 20:56:38| Using Least Load store dir selection
2008/03/31 20:56:38| Set Current Directory to /var/cache/squid
2008/03/31 20:56:38| Loaded Icons.
2008/03/31 20:56:38| Accepting proxy HTTP connections at 0.0.0.0, port
3128, FD 19.
2008/03/31 20:56:38| Accepting ICP messages at 0.0.0.0, port 3130, FD 20.
2008/03/31 20:56:38| HTCP Disabled.
2008/03/31 20:56:38| WCCP Disabled.
2008/03/31 20:56:38| Ready to serve requests.
2008/03/31 20:56:38| Done reading /var/cache/squid swaplog (2219 entries)
2008/03/31 20:56:38| Finished rebuilding storage from disk.
2008/03/31 20:56:38|      2219 Entries scanned
2008/03/31 20:56:38|         0 Invalid entries.
2008/03/31 20:56:38|         0 With invalid flags.
2008/03/31 20:56:38|      2219 Objects loaded.
2008/03/31 20:56:38|         0 Objects expired.
2008/03/31 20:56:38|         0 Objects cancelled.
2008/03/31 20:56:38|         0 Duplicate URLs purged.
2008/03/31 20:56:38|         0 Swapfile clashes avoided.
2008/03/31 20:56:38|   Took 0.3 seconds (6503.0 objects/sec).
2008/03/31 20:56:38| Beginning Validation Procedure
2008/03/31 20:56:38|   Completed Validation Procedure
2008/03/31 20:56:38|   Validated 2219 Entries
2008/03/31 20:56:38|   store_swap_size = 18264k
2008/03/31 20:56:39| storeLateRelease: released 0 objects
2008/03/31 20:56:44| aclCheckFast: list: 0x82ab588
2008/03/31 20:56:44| aclMatchAclList: checking all
2008/03/31 20:56:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/31 20:56:44| aclMatchIp: '127.0.0.1' found
2008/03/31 20:56:44| aclMatchAclList: returning 1
2008/03/31 20:56:44| aclCheck: checking 'http_access deny  !Safe_ports'
2008/03/31 20:56:44| aclMatchAclList: checking !Safe_ports
2008/03/31 20:56:44| aclMatchAcl: checking 'acl Safe_ports port 80 # http'
2008/03/31 20:56:44| aclMatchAclList: no match, returning 0
2008/03/31 20:56:44| aclCheck: checking 'http_access allow emma testing'
2008/03/31 20:56:44| aclMatchAclList: checking emma
2008/03/31 20:56:44| aclMatchAcl: checking 'acl emma proxy_auth '
2008/03/31 20:56:44| aclMatchAcl: returning 0 sending credentials to helper.
2008/03/31 20:56:44| aclMatchAclList: no match, returning 0
2008/03/31 20:56:44| aclCheck: checking password via authenticator
2008/03/31 20:56:45| aclCheck: checking 'http_access allow emma testing'
2008/03/31 20:56:45| aclMatchAclList: checking emma
2008/03/31 20:56:45| aclMatchAcl: checking 'acl emma proxy_auth '
2008/03/31 20:56:45| aclMatchUser: user is andrew, case_insensitive is 0
2008/03/31 20:56:45| Top is (nil), Top->data is Unavailable
2008/03/31 20:56:45| aclMatchUser: returning 0,Top is (nil), Top->data is
Unavailable
2008/03/31 20:56:45| aclMatchAclList: no match, returning 0
2008/03/31 20:56:45| aclCheck: checking 'http_access allow andrew '
2008/03/31 20:56:45| aclMatchAclList: checking andrew
2008/03/31 20:56:45| aclMatchAcl: checking 'acl andrew proxy_auth '
2008/03/31 20:56:45| aclMatchUser: user is andrew, case_insensitive is 0
2008/03/31 20:56:45| Top is (nil), Top->data is Unavailable
2008/03/31 20:56:45| aclMatchUser: returning 0,Top is (nil), Top->data is
Unavailable
2008/03/31 20:56:45| aclMatchAclList: no match, returning 0
2008/03/31 20:56:45| aclCheck: checking 'http_access deny all'
2008/03/31 20:56:45| aclMatchAclList: checking all
2008/03/31 20:56:45| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/31 20:56:45| aclMatchIp: '127.0.0.1' found
2008/03/31 20:56:45| aclMatchAclList: returning 1
2008/03/31 20:56:45| aclCheck: match found, returning 0
2008/03/31 20:56:45| aclCheckCallback: answer=0
2008/03/31 20:56:45| The request GET http://grolma.no-ip.org/ is DENIED,
because it matched 'all'
2008/03/31 20:56:45| The reply for GET http://grolma.no-ip.org/ is
ALLOWED, because it matched 'all'

so its matching andrew  at

aclMatchUser: user is andrew, case_insensitive is 0

but then denies ????because  127.0.0.1 is matched by deny all src 0.0.0.0