On 08/10/10 03:26, Philipp Herz - Profihost AG wrote:
Hello everybody,
actually i'm trying to migrate a Squid/SquidGuard setup from Squid
(3.0.STABLE19) to Squid (3.1.3).
The problem is, that i am not able to exclude a single client identified
by it's ip or mac address from being proccessed by SquidGuard as the
redirector.
acl my_net src 192.168.0.0/16
acl c_by_IP src 192.168.0.99
acl c_by_MAC arp aa:bb:cc:dd:ee:ff
http_access allow my_net
http_access deny all
redirector_access deny c_by_IP
redirector_access deny c_by_MAC
# url_rewrite_access deny c_by_IP
# url_rewrite_access deny c_by_MAC
url_rewrite_program /usr/bin/squidGuard
url_rewrite_children 5
None of the attempts above are working for Squid (3.1.3). Using
directive "redirector_access deny" with Squid (3.0.STABLE19) works as
expected.
So, could you please give me any hints on how to get this thing working
or is there any known bug or limitation why it's not working with 3.1.3?
Thanks - philipp
Nothing comes to mind. IP should be working even if ARP fails.
NP: "url_rewrite_access" is the correct config out of those attempts and
is identical in meaning for all Squid since redirector_access was
deprecated by 2.5.
Firstly check the order of url_rewrite_access lines (*all of them*).
First match wins.
Then try tracing the access control tests in cache.log with:
debug_options 28,3 61,5
If that does not show the problem up try with the latest Squid-3.1 code.
Amos
Hi Amos,
thanks for your information. I have tested it again with "debug_options"
set. From the output it seems to me, that there must be something
absolutely wrong with the IP/MAC based ACL.
As i understand cache.log shows that client is identified by it's
ip-address, then checked against "http_access" and granted by "my_NET"
match. When it comes to "checking url_rewrite_access" aclIpMatchIp does
not know the IP anymore - therefore comparison fails - no match.
And Yes, I have double checked the ip-address of my client and the ACL.
So if you have any ideas/suggestions what to check, i would appreciate it.
Thanks again - philipp
here the complete snippet from cache.log:
2010/10/08 08:47:39.260| ACLChecklist::preCheck: 0x8fede08 checking
'http_access allow my_NET'
2010/10/08 08:47:39.260| ACLList::matches: checking my_NET
2010/10/08 08:47:39.260| ACL::checklistMatches: checking 'my_NET'
2010/10/08 08:47:39.260| aclIpMatchIp: '192.168.1.193:4587' found
2010/10/08 08:47:39.260| ACL::ChecklistMatches: result for 'my_NET' is 1
2010/10/08 08:47:39.260| aclmatchAclList: 0x8fede08 returning true (AND
list satisfied)
2010/10/08 08:47:39.260| ACLChecklist::markFinished: 0x8fede08 checklist
processing finished
2010/10/08 08:47:39.260| ACLChecklist::check: 0x8fede08 match found,
calling back with 1
2010/10/08 08:47:39.261| ACLChecklist::checkCallback: 0x8fede08 answer=1
2010/10/08 08:47:39.261| ACLChecklist::preCheck: 0x8fede08 checking
'adaptation_access service_req allow all'
2010/10/08 08:47:39.261| ACLList::matches: checking all
2010/10/08 08:47:39.261| ACL::checklistMatches: checking 'all'
2010/10/08 08:47:39.261| aclIpMatchIp: '192.168.1.193:4587' found
2010/10/08 08:47:39.261| ACL::ChecklistMatches: result for 'all' is 1
2010/10/08 08:47:39.261| aclmatchAclList: 0x8fede08 returning true (AND
list satisfied)
2010/10/08 08:47:39.261| ACLChecklist::markFinished: 0x8fede08 checklist
processing finished
2010/10/08 08:47:39.261| ACLChecklist::check: 0x8fede08 match found,
calling back with 1
2010/10/08 08:47:39.261| ACLChecklist::checkCallback: 0x8fede08 answer=1
2010/10/08 08:47:39.261| ACLChecklist::preCheck: 0x8fede08 checking
'url_rewrite_access deny c_by_IP'
2010/10/08 08:47:39.261| ACLList::matches: checking c_by_IP
2010/10/08 08:47:39.261| ACL::checklistMatches: checking 'c_by_IP'
2010/10/08 08:47:39.261| aclIpMatchIp: '[::]' NOT found
2010/10/08 08:47:39.261| ACL::ChecklistMatches: result for 'c_by_IP' is 0
2010/10/08 08:47:39.261| aclmatchAclList: 0x8fede08 returning false (AND
list entry failed to match)
2010/10/08 08:47:39.261| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2010/10/08 08:47:39.261| ACLChecklist::preCheck: 0x8fede08 checking
'url_rewrite_access deny c_by_MAC'
2010/10/08 08:47:39.261| ACLList::matches: checking c_by_MAC
2010/10/08 08:47:39.261| ACL::checklistMatches: checking 'c_by_MAC'
2010/10/08 08:47:39.261| aclMatchArp: [::] NOT found
2010/10/08 08:47:39.262| ACL::ChecklistMatches: result for 'c_by_MAC' is 0
2010/10/08 08:47:39.262| aclmatchAclList: 0x8fede08 returning false (AND
list entry failed to match)
2010/10/08 08:47:39.262| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2010/10/08 08:47:39.262| ACLChecklist::preCheck: 0x8fede08 checking
'url_rewrite_access allow all'
2010/10/08 08:47:39.262| ACLList::matches: checking all
2010/10/08 08:47:39.262| ACL::checklistMatches: checking 'all'
2010/10/08 08:47:39.262| aclIpMatchIp: '[::]' found
2010/10/08 08:47:39.262| ACL::ChecklistMatches: result for 'all' is 1
2010/10/08 08:47:39.262| aclmatchAclList: 0x8fede08 returning true (AND
list satisfied)
2010/10/08 08:47:39.262| ACLChecklist::markFinished: 0x8fede08 checklist
processing finished
2010/10/08 08:47:39.262| ACLChecklist::check: 0x8fede08 match found,
calling back with 1
2010/10/08 08:47:39.262| ACLChecklist::checkCallback: 0x8fede08 answer=1
2010/10/08 08:47:39.262| redirectStart: 'http://www.ard.de/'
