On 02/02/11 00:26, Peter Warasin wrote:
Hi squids
Anyone ready for helping me? Have a quite funny problem.
I have a more or less complex configuration, so i cut it down to the
interesting part.
Basically it is a sandwich configuration
squid -> content filters -> squid
which normally is working well.
However, if you try to access an *inexistent* domain, squid is not
returning the appropriate ERR_DNS_FAIL message, but ERR_ACCESS_DENIED,
which of course is confusing users.
I narrowed the problem down by debugging squid and actually found the
problem.
Here is the interesting part of my configuration:
---------------------->8------------------------------------------------
acl from_all src 0.0.0.0/0.0.0.0
acl to_all dst 0.0.0.0/0.0.0.0
# http access to squid
http_access allow from_localhost
[...]
http_access allow from_all to_all within_timeframe_rule1
http_access deny from_all
(http_reply_access is similar and does not cause the access denied)
---------------------->8------------------------------------------------
I found out that my
http_access allow from_all to_all within_timeframe_rule1
is not matching in this case, because the domain resolving did not
return an ip address. so the request is still the domain name and squid
is comparing the domain name with 0/0, which will not match.
What version of Squid is this? The dst ACL has been long fixed not to
use strings at all but to test the numeric values and return fail on
unresolvables without any comparisons happening.
Ok, so i tried to solve by adding these rules:
acl to_alldomain dstdom_regex .*
http_access allow from_all within_timeframe_rule1 to_alldomain
This actually is working, but it seems quite an overhead to me.
Yes it does seem overly complex. Lets look at the parts...
* from_all ... if the request comes from a machine with an IPv4
address (0.0.0.0 'self' included).
Since the only way to reach Squid is via IP transport...
In all Squid older than 3.1 this equates to "true".
In 3.1 the ACL should be defined "src ipv4" and thinking of it as
"all" the network is wrong.
* to_alldomain ... if true. every request will match this so you will
get the same behaviour by removing it entirely.
Is there no better solution for this?
Something like an acl which matches not-resolved? Or something like a
value of "none" or "no-ip" for "dst"?
Anyone with a similar issue and a better solution?
The ! operator.
As to_all matches a set of domains so !to_all will match the others.
The big question begging to be answered is why you have the horribly
redundant line in the first place?
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
