Search squid archive

Re: squidGuard: redirect to squid-internal URLs no longer working with 3.5?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/15/2016 12:52 PM, Amos Jeffries wrote:
>> So, if i try this, i get a 404 response and the ERR_INVALID_REQ page.
> 
> Okay. That is the correct behaviour for this situation.
> Squid does not normally load anything at the
> /squid-internal-static/error-access-denied path.
> 
> A second bug / undefined behaviour that got fixed in 3.5 was incorrect
> HTTP status codes being delivered on cachemgr and internal responses. It
> now returns 404 Not Found when URL internal URL does not point at an
> object, not "access denied" - because access wasn't denied, the file was
> not found.
> 
> The /squid-internal-static/* objects to be loaded are configured in the
> squid /etc/squid/mime.conf configuration file. (though some OS distros
> move it out of /etc/squid for some reason).
> 
> However, that would just make the response a 200 OK with the internal
> object as the payload. If you want to retain 403 you need to block the
> re-written URL from being serviced by Squid:
> 
>  acl SG_deny urlpath_regex ^/squid-internal-static/error-access-denied$
>  adapted_http_access deny SG_deny
> 
> (If that dont work you can use miss_access instead)
> 
> 
>> With debugging I can see that there is a request like
>> GET ://127.0.0.1:3128/squid-internal-static/error-access-denied
>> This is indeed an invalid request...
> 
> Nod. Though the internal ID being used is correct, so its only the
> output display and upstream messages which are broken. I'm looking into
> that now, but the fix wont change anything relating to your actual
> problem. You will still need to use the above config settings to trigger
> a 403.
> 
> 
>> If I use http:// instead of internal:// the whole request is forwarded
>> to the upstream cache peer and again replied with ERR_INVALID_REQ...
>> With
>> internal://$visible_hostname:3128/squid-internal-static/error-access-denied
>> the response is a 400 Bad Request with ERR_UNSUP_REQ.
>> According to debugging here again the internal schema is not passed
>> along when building the GET request.
>>
>> BTW, the old URL I used worked for years!
> 
> The problem with relying on undefined behaviour is that it can work for
> a long time then disappear without warning.
> 
> What I think was going on previously was the parser handling the
> URL-rewriter output accepted the URL with 'squid-internal-static' as
> hostname. When Squid got to the upstream forwarding stage the check for
> internal status did a sub-string check and (wrongly) found
> "/squid-internal-". So decided to handle it as internal. But the
> internal-server logics could not find any object and (wrongly) generated
> a 403 error page.
> 
> So a chain of at least 2 bugs being relied on to produce a 403 Access
> Denied, when it should not have. We have now fixed those bugs, so what
> you had relying on them goes splat.
> 
> Amos
> 

Hi Amos,

Many thanks for these clarifications.

Greetings,
Matthias
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux