On Tue, Feb 1, 2011 at 18:26, Peter Warasin <peter@xxxxxxxxxx> wrote: > Hi squids > > Anyone ready for helping me? Have a quite funny problem. > > I have a more or less complex configuration, so i cut it down to the > interesting part. > > Basically it is a sandwich configuration > squid -> content filters -> squid > which normally is working well. > > However, if you try to access an *inexistent* domain, squid is not > returning the appropriate ERR_DNS_FAIL message, but ERR_ACCESS_DENIED, > which of course is confusing users. > > I narrowed the problem down by debugging squid and actually found the > problem. > > Here is the interesting part of my configuration: > > ---------------------->8------------------------------------------------ > acl from_all        Âsrc 0.0.0.0/0.0.0.0 > acl to_all         Âdst 0.0.0.0/0.0.0.0 > > # http access to squid > http_access allow  from_localhost > [...] > http_access allow from_all to_all within_timeframe_rule1 > http_access deny  Âfrom_all > > (http_reply_access is similar and does not cause the access denied) > ---------------------->8------------------------------------------------ > > I found out that my > > http_access allow from_all to_all within_timeframe_rule1 > > is not matching in this case, because the domain resolving did not > return an ip address. so the request is still the domain name and squid > is comparing the domain name with 0/0, which will not match. > > Ok, so i tried to solve by adding these rules: > > acl to_alldomain         Âdstdom_regex .* > http_access allow from_all within_timeframe_rule1 to_alldomain > > > This actually is working, but it seems quite an overhead to me. > > Is there no better solution for this? > Something like an acl which matches not-resolved? Or something like a > value of "none" or "no-ip" for "dst"? > > Anyone with a similar issue and a better solution? > Any reason for "from_all to_all"? Why not just: http_access allow within_timeframe_rule1 > > Thanks in advance for suggestions > > > peter > > -- > :: e n d i a n > :: open source - open minds > > :: peter warasin > :: http://www.endian.com  :: peter@xxxxxxxxxx > -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com
