Hi squids Anyone ready for helping me? Have a quite funny problem. I have a more or less complex configuration, so i cut it down to the interesting part. Basically it is a sandwich configuration squid -> content filters -> squid which normally is working well. However, if you try to access an *inexistent* domain, squid is not returning the appropriate ERR_DNS_FAIL message, but ERR_ACCESS_DENIED, which of course is confusing users. I narrowed the problem down by debugging squid and actually found the problem. Here is the interesting part of my configuration: ---------------------->8------------------------------------------------ acl from_all src 0.0.0.0/0.0.0.0 acl to_all dst 0.0.0.0/0.0.0.0 # http access to squid http_access allow from_localhost [...] http_access allow from_all to_all within_timeframe_rule1 http_access deny from_all (http_reply_access is similar and does not cause the access denied) ---------------------->8------------------------------------------------ I found out that my http_access allow from_all to_all within_timeframe_rule1 is not matching in this case, because the domain resolving did not return an ip address. so the request is still the domain name and squid is comparing the domain name with 0/0, which will not match. Ok, so i tried to solve by adding these rules: acl to_alldomain dstdom_regex .* http_access allow from_all within_timeframe_rule1 to_alldomain This actually is working, but it seems quite an overhead to me. Is there no better solution for this? Something like an acl which matches not-resolved? Or something like a value of "none" or "no-ip" for "dst"? Anyone with a similar issue and a better solution? Thanks in advance for suggestions peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: peter@xxxxxxxxxx
