On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote: > Does the X-Forwarded-For header actually contain an IP from the > 172.21.120.0/24 subnet (and not some IPv6 address from that subnets > IPv6 ranges). Yeah it seems to be: GET http://www.google.com/ HTTP/1.1 Accept: */* Host: www.google.com User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Via: 1.1 cake-icap (squid/3.3.6) X-Forwarded-For: 172.21.120.23 Cache-Control: max-age=259200 Connection: keep-alive > Also, re-check this after fixing the follow_x_forwarded_for trust > ACLs. That may be affecting the results. I've went back to the original lines: acl localsrc src 127.0.0.1 follow_x_forwarded_for allow localsrc Here is the output from debug_options ALL,1 17,9 28,9 when I make a request: 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches: checking forwardTrafficSubnet1 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches: ACL::checklistMatches: checking 'forwardTrafficSubnet1' 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: 172.21.120.23/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (172.21.120.0) vs 172.21.120.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp: '172.21.120.23' found 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches: ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1 matched. 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1 result is true 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8 matched=1 async=0 finished=0 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8 success: all ACLs matched 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8 answer DENIED for first matching rule won 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED I don't know why is says that the rule matched but that it is returning DENIED. Cheers, -- Michael Graham <mgraham@xxxxxxxxx>