Re: Why doesn't REQUEST_HEADER_ACCESS work properly with aclnames?

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 19/04/11 17:53, Jenny Lee wrote:
> > To: squid-users@xxxxxxxxxxxxxxx
> > Date: Tue, 19 Apr 2011 14:36:31 +1200
> > From: squid3@xxxxxxxxxxxxx
> > Subject: RE:  Why doesn't REQUEST_HEADER_ACCESS work properly with aclnames?
> >
> > On Mon, 18 Apr 2011 19:15:53 +0000, Jenny Lee wrote:
> > > > > What is the definition of OFFICE ?
> > > > > request_header_access are fast ACL which will not wait for
> > > > unavailable
> > > > > details to be fetched.
> > > >
> > > > Ah! proxy_auth :)
> > > >
> > > > Jenny
> > >
> > >
> > > acl OFFICE src 2.2.2.2
> > >
> > > request_header_access User-Agent allow OFFICE
> > > request_header_access User-Agent deny all
> > > header_replace User-Agent BOGUS AGENT
> > >
> > >
> > > This works as expected when going direct.
> > >
> > > However, if there is a cache_peer, still the UA is replaced.
> > > Cache_peer logs show connection is coming with the replaced UA
> > > (cache_peer does not modify UA in its config).
> > >
> > > I must be missing something.
> >
> > Header mangling is done before forwarding. Regardless of where it is
> > forwarded to. So there is no peer information available at that time.
> >
> > Also, "src" matches the website IP address(es). The public website IPs
> > will not change because you have a cache_peer configured.
> >
> > Amos
>
> Hello Amos,
>
> You handle 500 users here alone. Must be a tiring day. I am matching my IP with "src".

So it was, topping of the month so far. :(

> Regardless, it doesn't work as expected when there is a peer forwarding.

With a slightly clearer head :) the idea I was working off was that 
OFFICE / "src" will have the same result whether it is going down a peer 
or direct.

Reality after looking at the code:
  Mangling is done after peer selection right at the last milli-second 
before sending the headers down the wire. It is done on all HTTP 
requests including CONNECT tunnels when they are relayed.

 Peering info *is* available. But "src" ACL does not check for that 
property.

If you have 3.1 I think you want to add a "peername" ACL like so:

 acl peerX peername X
 request_header_access User-Agent allow OFFICE !peerX
 ...

Oh and "header_replace" is now "request_header_replace" in 3.1.12 or later.


> Is there any debug options I must use and watch out for?

There is not "must" involved, but if you want to want them...

  debug_options 11,6

The relevant line starts with "httpSendRequest: FD" followed by the full 
HTTP request headers passed on.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1