[squid-dev] [PATCH] Fix 'miss_access' and 'cache' checks when no ACL rules matched

Eduard Bagdasaryan eduard.bagdasaryan at measurement-factory.com
Fri May 5 14:18:16 UTC 2017


This patch fixes "miss_access" and "cache" checks when no ACL rules

The miss_access code allowed transactions to reach origin server when no
"allow" rules matched (and no "deny" rule matched either). This could
happen when a miss_access directive ACL could not make a "match" or
"mismatch" decision (e.g., the admin used a slow ACL or an ACL that
required authentication when the user was not authenticated).

Similarly, the "cache" directive code allowed requests to be served from
the cache (and responses to be stored in the cache) when no "allow" (and
"deny") rules matched. This behavior (established in v5 r14984) does not
contradict "Requests denied by this directive will not be..."
documentation, though.

I believe that both "miss_access" and "cache" directives should behave
like all other directives in similar contexts, i.e., "deny" in such
indeterminate cases because:

* It avoids problems with configurations like:

    # broken if badGuys fails to match or mismatch (allows bad guys)
    acl_driven_option allow !badGuys

   That is what trunk r12176 has partially fixed.

* It makes ACL checking rules consistent with each other, especially if
   there is no good reason for making exception for these two cases.

To help avoid similar problems in the future, and to improve code
consistency, I added an API that eliminates the need for direct



-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-277-fix-and-clarify-access-denied-cases-t5.patch
Type: text/x-patch
Size: 127402 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170505/40e466b0/attachment-0001.bin>

More information about the squid-dev mailing list