On 03.04.2012 12:02, Will Roberts wrote:
Hi,
I'm trying to log the name of the ACL that allowed/denied access for
a particular request. I have a patch that seems to work fine on all
my
machines except one. On that one machine it'll work fine for several
hours, but then begins logging other garbage; sometimes parts of
URLs,
other times it's just random bytes. I think my patch is correct and
this machine has a problem, but I'd appreciate it if someone could
take a look.
My real goal is to associate a username with requests that are
allowed based on a whitelisted IP. I had originally done this using
an
external acl helper, but found that it was too slow and would cause
connections to randomly fail. So instead I now generate a .conf file
that is included with my main squid config which looks like this:
acl foo src 10.3.4.0/24
acl foo src 10.4.5.0/24
http_access allow foo
At this point 'foo=true" allowed it.
acl bar src 120.3.4.0/24
acl bar src 120.4.5.0/24
http_access allow bar
At this point the ACL "foo=false and bar=true" allowed it.
Implicit default rule: http_access deny all
At this point the ACL "foo=false and bar=false and src-IP" denied it.
hence why I'm then trying to log the name of the ACL that allowed the
connection. If there's a different way of doing that I'm open to
suggestions.
Here's the patch, I allowed the ACL to be accessible via its own
token or to replace the user one if the user is null.
What you are logging is the last ACL tested. In the case of default
rules, they do not get tested as matches, so the deny line there above
will deny with ACL name "bar".
The whole config file line being matched would be better thing to log
if you can find it.
PS. Patches to squid-dev please so they can be audited.
Amos
