Re: whitelisted IP problem

Eliezer Croitoru <eliezer@xxxxxxxxxxxx> · Tue, 20 Mar 2012 11:20:56 +0200

On 20/03/2012 07:53, Vijay wrote:
2012/03/20 10:14:23.889| aclCheckFast: list: 0x175c860
2012/03/20 10:14:23.889| ACLChecklist::preCheck: 0xbfccd8b4 checking
'ident_lookup_access deny all'
2012/03/20 10:14:23.889| ACLList::matches: checking all
2012/03/20 10:14:23.889| ACL::checklistMatches: checking 'all'
2012/03/20 10:14:23.889| aclIpAddrNetworkCompare: compare:
122.166.1.184:48347/[::] ([::]:48347)  vs [::]-[::]/[::]
2012/03/20 10:14:23.890| aclIpMatchIp: '122.166.1.184:48347' found
2012/03/20 10:14:23.890| ACL::ChecklistMatches: result for 'all' is 1
2012/03/20 10:14:23.890| ACLList::matches: result is true
2012/03/20 10:14:23.890| aclmatchAclList: 0xbfccd8b4 returning true (AND
list satisfied)
2012/03/20 10:14:23.890| ACLChecklist::markFinished: 0xbfccd8b4 checklist
processing finished
2012/03/20 10:14:23.890| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0xbfccd8b4
2012/03/20 10:14:23.890| ACLChecklist::~ACLChecklist: destroyed 0xbfccd8b4

i'm trying again to understand and if your htt_access wasnt changed thi 
line here is the beginning of the aclchek for the client.
starts with manager = 127.0.0.1
2012/03/20 10:14:23.890| ACLChecklist::preCheck: 0x19f0128 checking
'http_access allow manager localhost server'
2012/03/20 10:14:23.890| ACLList::matches: checking manager
2012/03/20 10:14:23.890| ACL::checklistMatches: checking 'manager'
2012/03/20 10:14:23.890| ACL::ChecklistMatches: result for 'manager' is 0
2012/03/20 10:14:23.890| ACLList::matches: result is false
conclusion not from 127.0.0.1 means other ip and moving to the next 
htt_access rule to check if there is allow to accomplish there.
2012/03/20 10:14:23.890| aclmatchAclList: 0x19f0128 returning false (AND
list entry failed to match)
2012/03/20 10:14:23.890| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
starting the dont allow manager rule
2012/03/20 10:14:23.890| ACLChecklist::preCheck: 0x19f0128 checking
'http_access deny manager'
2012/03/20 10:14:23.890| ACLList::matches: checking manager
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'manager'
2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'manager' is 0
2012/03/20 10:14:23.891| ACLList::matches: result is false
it's not mangaer so moving on to the next rule.
2012/03/20 10:14:23.891| aclmatchAclList: 0x19f0128 returning false (AND
list entry failed to match)
2012/03/20 10:14:23.891| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
moving to the next wich means dont allow to any of ports other then the 
list of safe "443,80 etc.."
2012/03/20 10:14:23.891| ACLChecklist::preCheck: 0x19f0128 checking
'http_access deny !Safe_ports'
2012/03/20 10:14:23.891| ACLList::matches: checking !Safe_ports
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'Safe_ports'
2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'Safe_ports' is 1
2012/03/20 10:14:23.891| ACLList::matches: result is false
it's not matching not dafe ports cause it's port 80
2012/03/20 10:14:23.891| aclmatchAclList: 0x19f0128 returning false (AND
list entry failed to match)
2012/03/20 10:14:23.891| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
the next rule will be trying the CONNECT method on not SSL ports (443).
2012/03/20 10:14:23.891| ACLChecklist::preCheck: 0x19f0128 checking
'http_access deny CONNECT !SSL_ports'
2012/03/20 10:14:23.891| ACLList::matches: checking CONNECT
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'CONNECT'
2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'CONNECT' is 1
2012/03/20 10:14:23.891| ACLList::matches: result is true
and you <<< do try to use ssl>>> (why?)
squid client wont use connect... ssl.. means i suppose you are using 
wrong code to get the site content.

2012/03/20 10:14:23.891| ACLList::matches: checking !SSL_ports
2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'SSL_ports'
2012/03/20 10:14:23.892| ACL::ChecklistMatches: result for 'SSL_ports' is 0
2012/03/20 10:14:23.892| ACLList::matches: result is true
conclusion ..you are trying to use CONNECT to not SSL port so...
2012/03/20 10:14:23.892| aclmatchAclList: 0x19f0128 returning true (AND list
satisfied)
squid finding you answering the http_access acl and will deny the connection
means you didn't add the acl's and http_access rule i sent you.

look at what i sent you and try again after.

Regards,
Eliezer
2012/03/20 10:14:23.892| ACLChecklist::markFinished: 0x19f0128 checklist
processing finished
2012/03/20 10:14:23.892| ACLChecklist::check: 0x19f0128 match found, calling
back with 0
2012/03/20 10:14:23.892| ACLFilledChecklist::checkCallback: 0x19f0128
answer=0
2012/03/20 10:14:23.892| ACLChecklist::checkCallback: 0x19f0128 answer=0
2012/03/20 10:14:23.892| aclIsProxyAuth: called for SSL_ports
2012/03/20 10:14:23.892| ACL::FindByName 'SSL_ports'
2012/03/20 10:14:23.892| aclIsProxyAuth: returning 0
2012/03/20 10:14:23.892| Gadgets.cc(57) aclGetDenyInfoPage: got called for
SSL_ports
2012/03/20 10:14:23.892| aclGetDenyInfoPage: no match
2012/03/20 10:14:23.892| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x19f0128
2012/03/20 10:14:23.892| ACLChecklist::~ACLChecklist: destroyed 0x19f0128
2012/03/20 10:14:23.893| FilledChecklist.cc(168) ~ACLFilledChecklist:
ACLFilledChecklist destroyed 0x19f0128
2012/03/20 10:14:23.893| ACLChecklist::~ACLChecklist: destroyed 0x19f0128
2012/03/20 10:14:23.893| ConnStateData::swanSong: FD 11

Thanks&  Regards
Vijay

--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
elilezer <at> ngtech.co.il