[squid-users] 2.7.STABLE9 & Error with option deny_info from local requests

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 3 15:38:37 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/12/2014 3:49 a.m., Mark Riede wrote:
>>> 
>>> # Config http_access allow localhost
> 
>> The above rule permits all traffic from 127.0.0.1 to go through
>> this proxy *no matter what*. From your description that would be
>> all traffic arriving from nginx **AND** any traffic you direct
>> at 127.0.0.1 IP from any other software.
> Thank you for your consideration. I will consider it.
> 
>> It is a very bad thing to do, particularly for a reverse-proxy.
>> Remove it and traffic from nginx (and yoru 127.0.0.1 tests) will
>> start to obey the other rules. Not a complete fix, but required
>> for Squid to work as you expect.
> 
>>> acl foo dstdomain "/file" acl foo_deny dstdom_regex "/ file
>>> _deny" http_access allow foo
> 
>> When testing this ACL with a raw-IP Squid will lookup reverse-DNS
>> of the IPand compare the result with contents of /file. Meaning
>> 127.0.0.1 == "localhost" --> is "localhost" one of the peer
>> hosted domain names? should not be.
> Which version was in use? Is it possible to override this
> behaviour?

Only after an upgrade to a current Squid-3 version for the DNS
no-lookup feature.

You do not actually need the "http_access allow localhost" line at all
though. All it seems to be doing is causing this problem.

If you were perhapse relying on it for access to the Squid cachemgr
reports, then replace it with this:
  acl mgr url_regex -i ^cache_object://
  http_access allow localhost mgr


> I donĀ“t think it is the right location of the problem. Everything
> works well except the option deny_info.

The "deny_info ... foo_deny" is just an instruction/directive on the
"foo_deny" ACL to what will happen IF (and only IF) foo_deny is used
in http_access to deny a request.

If the either of the previous http_access allow lines are being acted
on then it will not happen.

"allow localhost" will act on 127.0.0.1/localhost nginx requests in
your config. Causing the foo_deny never to be enacted. Causing the
deny_info to not happen. See?


Assuming Nginx is presenting Squid with correct Host headers then
removing the "http_access allow localhost" is all you need to fix the
deny_info problem.

After changing that you may still see some *other* errors with traffic
from Nginx. For those you will need to investigate the Host header in
those requests and decide what is the right thing to be done to fix
that other problem.

HTH
Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUfy59AAoJELJo5wb/XPRjGzwIANhBfDa56/sjgMvx2mlvUasV
Oet0PGyFfdCkaY+cKcFIxERWUnAripXhK0JdasQ7795uOZRMIKbTVYy6mKF8/EoN
HsIkW6VaKJ3x15E1kebKSIqANcpcWl0nX6SrswODJGRG561QcXdSZ+k1NwOOPWpv
YbBKRcVs5WhW+AaRh+e9bLU/K152PVyY44A6/sY7MavhmMc91EIxgrw77v3tUIus
HIm4Lidr6D868iRqnimVu7TRCZnHwCWInYv0sy7gFQU5/EEh6nOrWRceJ9MYHU2k
bFjh4t+ixGBcYv0NwnXVOaC1mise/VoCitjWmZ9zbooQby/d7B3mooIpDJXF8uE=
=RwXb
-----END PGP SIGNATURE-----


More information about the squid-users mailing list