Hello, I've come across a recurring issue where Squid (3.2.1) will deny replies (TCP_DENIED_REPLY/403) purely based on where in the rule list (which is all allows with one deny at the end) the rule is. For example, with the following rule list: http_reply_access allow redirect http_reply_access allow jenny_pc http_reply_access allow jodys_pc http_reply_access allow kates_phone http_reply_access allow kate_laptop http_reply_access allow brians_tablet http_reply_access allow allowed_content http_reply_access allow pvr_pc http_reply_access allow pvrfe_pc http_reply_access allow linux_pc http_reply_access allow localhost http_reply_access allow brian_laptop http_reply_access allow lab_net http_reply_access allow brian http_reply_access allow kate http_reply_access allow fred http_reply_access allow plf rpm_content http_reply_access allow thac rpm_content http_reply_access allow mandriva rpm_content http_reply_access allow gpg_keyservers gpg_content http_reply_access allow ubuntu deb_content http_reply_access allow flash_downloads deb_content http_reply_access allow windowsupdate windowsupdatere http_reply_access allow windowsupdate allowed_wu_content http_reply_access allow avgupdate app_oct_content http_reply_access allow dl_sf_net app_oct_content http_reply_access deny all I will get: 1388416169.296 22 2001.123.45.678:214:d1ff:fe13:45ac TCP_DENIED_REPLY/403 3692 GET http://af.avg.com/softw/14free/update/x14xplsc_2067ol.bin - FIRSTUP_PARENT/127.0.0.1 text/html However if I move the rule that should allow that URL (allow avgupdate app_oct_content) to near the top of the above rule list squid will allow the content. I would think that the order of any "allow" rules should not matter as long as they are all before a deny rule. Is that not the case? Should what I describe above really happen in any condition? Cheers, b.
Attachment:
signature.asc
Description: This is a digitally signed message part