Search squid archive

Re: ACLs allow/deny logic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/27/2017 12:31 AM, Vieri wrote:

> http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains !allowed_restricted1_ips
> http_reply_access deny denied_restricted1_mimetypes_rep !allowed_restricted1_domains !allowed_restricted1_ips
> http_access deny intercepted !localnet
> http_access allow localnet
> http_access deny all

> "The reply for POST http://149.154.165.120/api is DENIED, because it matched allowed_restricted1_ips"

Squid "matched ACL" reporting code is badly designed and often leads to
misleading results. In this particular case, Squid wanted to say "it
matched !allowed_restricted1_ips" but could not. Older Squids were
especially broken in this area, but even modern ones suffer from the
same design flaw. This flaw is a known problem:

> // XXX: AclMatchedName does not contain a matched ACL name when the acl
> // does not match. It contains the last (usually leaf) ACL name checked
> // (or is NULL if no ACLs were checked).

You can work around most of these problems by appending an
always-matching ACL to every http_access rule you want to identify and
making sure that at least one rule always matches. The former can be
done using an any-of ACL in older Squids or annotate_transaction ACL in
modern Squids. You are already doing the latter with "deny all".


HTH,

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux