On 06/27/2017 12:31 AM, Vieri wrote: > http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains !allowed_restricted1_ips > http_reply_access deny denied_restricted1_mimetypes_rep !allowed_restricted1_domains !allowed_restricted1_ips > http_access deny intercepted !localnet > http_access allow localnet > http_access deny all > "The reply for POST http://149.154.165.120/api is DENIED, because it matched allowed_restricted1_ips" Squid "matched ACL" reporting code is badly designed and often leads to misleading results. In this particular case, Squid wanted to say "it matched !allowed_restricted1_ips" but could not. Older Squids were especially broken in this area, but even modern ones suffer from the same design flaw. This flaw is a known problem: > // XXX: AclMatchedName does not contain a matched ACL name when the acl > // does not match. It contains the last (usually leaf) ACL name checked > // (or is NULL if no ACLs were checked). You can work around most of these problems by appending an always-matching ACL to every http_access rule you want to identify and making sure that at least one rule always matches. The former can be done using an any-of ACL in older Squids or annotate_transaction ACL in modern Squids. You are already doing the latter with "deny all". HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
