On Tue, 2013-07-16 at 09:31 -0400, Michael Graham wrote: > On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote: > > Does the X-Forwarded-For header actually contain an IP from the > > 172.21.120.0/24 subnet (and not some IPv6 address from that subnets > > IPv6 ranges). > > Yeah it seems to be: > > GET http://www.google.com/ HTTP/1.1 > Accept: */* > Host: www.google.com > User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 > OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 > Via: 1.1 cake-icap (squid/3.3.6) > X-Forwarded-For: 172.21.120.23 > Cache-Control: max-age=259200 > Connection: keep-alive > > > Also, re-check this after fixing the follow_x_forwarded_for trust > > ACLs. That may be affecting the results. > > I've went back to the original lines: > > acl localsrc src 127.0.0.1 > follow_x_forwarded_for allow localsrc > > Here is the output from debug_options ALL,1 17,9 28,9 when I make a > request: > > 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches: > checking forwardTrafficSubnet1 > 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches: > ACL::checklistMatches: checking 'forwardTrafficSubnet1' > 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare: > aclIpAddrNetworkCompare: compare: > 172.21.120.23/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (172.21.120.0) > vs 172.21.120.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] > 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp: > '172.21.120.23' found > 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches: > ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1 > 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1 > matched. > 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1 > result is true > 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8 > matched=1 async=0 finished=0 > 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8 > success: all ACLs matched > 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8 > answer DENIED for first matching rule won > 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking: > ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED > > I don't know why is says that the rule matched but that it is returning > DENIED. > > Cheers, Hi again, I wonder if anyone has any ideas on this one, at the moment this just doesn't seem to work. Cheers, -- Michael Graham <mgraham@xxxxxxxxx>
