Search squid archive

External ACL lookups always cause ACL no-match?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm trying to implement an external ACL helper than does an ip address to username lookup, but I'm having trouble with squid using an external ACL helper in general. I'm running Squid 2.7.5 on FreeBSD 7.1. To rule out my custom written helper program as the culprit, I created a basic external helper in perl that just looks like this: 

#!/usr/bin/perl
while(<STDIN>) {
        print STDOUT "OK\n";
}
I've simplified my previously complex squid.conf to the point where there is very little left that is not commented out. The relevant bits of squid.conf look like this: 

external_acl_type IP-LOOKUP %SRC /usr/local/etc/squid/always-ok.pl
acl IP-TO-USER external IP-LOOKUP
acl WIRELESS-GUEST-NET  src 10.15.5.0/255.255.255.0
http_access allow WIRELESS-GUEST-NET IP-TO-USER
http_reply_access allow WIRELESS-GUEST-NET IP-TO-USER
http_reply_access allow all
debug_options ALL,1 28,9 29,9 33,9 58,9 82,9
If I remove the "IP-TO-USER" acl from http_access and http_reply_access then everything works. As soon as I add "IP-TO-USER" to http_access, Squid will not send a reply back to the client (verified with tcpdump on the server side and Wireshark on the client side), nothing shows up in access.log, nothing shows up in cache.log (without debugging turned on, but I get plenty of ACL lookups with the debug_options line I have above). The client eventually times out. I have also tried with and without the external acl in "http_reply_access" based on other threads I have read on this mailing list.
Here are the lines from cache.log regarding the external ACL when a request is made using the above debug_options:
2009/02/10 16:05:30| aclCheck: checking 'http_access allow WIRELESS-GUEST-NET IP-TO-USER' 
2009/02/10 16:05:30| aclMatchAclList: checking WIRELESS-GUEST-NET
2009/02/10 16:05:30| aclMatchAcl: checking 'acl WIRELESS-GUEST-NET src 10.15.5.0/255.255.255.0' 
2009/02/10 16:05:30| aclMatchIp: '10.15.5.199' found
2009/02/10 16:05:30| aclMatchAclList: checking IP-TO-USER
2009/02/10 16:05:30| aclMatchAcl: checking 'acl IP-TO-USER external IP-LOOKUP'
2009/02/10 16:05:30| aclMatchExternal: acl="IP-LOOKUP"
2009/02/10 16:05:30| aclMatchExternal: IP-LOOKUP("10.15.5.199") = lookup needed 
2009/02/10 16:05:30| aclMatchAclList: no match, returning 0
2009/02/10 16:05:30| externalAclLookup: lookup in 'IP-LOOKUP' for '10.15.5.199'
Why is it returning "no match" when the external ACL helper always returns "OK"? 

--

Chris Dillon - NetEng/SysAdm
Reeds Spring R-IV School District
Technology Department
175 Elementary Rd.
Reeds Spring, MO  65737
Voice: 417-272-8266   Fax: 417-272-0015
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux