On 16/07/2016 2:38 a.m., Stephen Stark wrote: > Hello, > > I think I figured out what the problem is but I'd appreciate if someone > could check my reasoning. > > My ACL is type localport, so I'm targeting the original request to Squid > based on the Squid port the client is connecting to: > > acl test localport 4000 > > Then I enable adaptation_access based on the ACL test: > > adaptation_access service_avi_req allow test > adaptation_access service_avi_resp allow test > > So here is where I think the problem is. The client is connecting to Squid > on port 4000, so the initial request it put in the ACL "test", however for > some reason this ACL is not being > hit when adaptation_access is being used. Correct. Something named "Test" with an upper-case 'T' is being checked. > I'm wondering if the reason is > because localport is no longer the port the client connected to Squid on, > but rather the port Squid is using to connect to the ICAP server? > > I've verified with full debugging that the test ACL is not matched in the > adaptation checks: > > (initial request) > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8 > checking slow rules > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking > '64.182.224.149' > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: > '64.182.224.149' NOT found > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking 'none' > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT > found > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > nobumpSites = 0 > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump > rule) = 0 > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 1 > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump > rule) = 1 > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump > rules) = 1 Notice how the above are ssl_bump rules. http_access and adaptation_access checking for the initial request happen long before ssl_bump is reached. > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8 > answer ALLOWED for match > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: > ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED > > (And now I'm guessing this is adaptation checking ACL's) > No need to guess. Squid logs the type of *_access that is being checked. see above about how I determined those were ssl_bump rules. ... > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8 > checking slow rules > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: ' > 192.168.100.6:61769' found > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > http_access#1 = 1 ... so these are http_access being checked. > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > http_access = 1 > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf40bb8 > answer ALLOWED for match > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: > ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED ... the request is ALLOWED (to use the proxy) by http_access. > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8 > checking slow rules > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 0 > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > adaptation_access#1 = 0 ... this is adaptation_access. > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: ' > 192.168.100.6:61769' found > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1 So, er, a line "adaptation_access ... deny all" is being checked. > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > adaptation_access#2 = 1 > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > adaptation_access = 1 > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8 > answer DENIED for match > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: > ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED adaptation_access rules DENIED adaptation being used on this request. Port(s) were never considered. Only IP address to match the "all" ACL. What is the full set of adaptation_access line in your config ? It seems there are more or different entries from the ones you mentioned already. > > What I don't get however is in this above log entry snapshot, the client > source port (192.168.100.6) is shown, so I'd assume the localport would > match. Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or tproxy ? TCP port numbers are different in value and/or meaning for each of the above. It's things like that which are why the "myportname" ACL is preferred over any checking of the port values. Use name= option on any *_port to name it explicitly, otherwise its name will be the textual representation of whatever exists in the host:port / IP:port field of the line. > > This works if I change the ACL type to src IP address rather than > localport, however the whole point of this is because I have another > facility that is categorizing users by group and distributing them to Squid > on specific destination ports. So I really need this to work based on > localport. > > Any thoughts? > Please try 'myportname' ACL. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
