[squid-users] squid 3.4, dstdomain

Amos Jeffries squid3 at treenet.co.nz
Thu Dec 10 10:34:52 UTC 2015

On 10/12/2015 11:02 p.m., Massimo.Sala wrote:
> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of 
> 'addons.mozilla.org'
> I thought
>         addons.mozilla.org              blocks only these hostname

ACLs do not block anything. Access Controls do.

This value tells Squid that addons.mozilla.org is an exact-match. Any
sub-domain is to be a non-match.

>         .addons.mozilla.org             blocks all the sub-domains, like 
> www.addons.mozilla.org etc.addons.mozilla.org

This one tells Squid that "addons.mozilla.org" and *all* sub-domains are
to match true.

> Which are the parsing rules of squid 3.4 ?

Each entry in the dstdomain ACL must be a unique and distinct match. The
two ranges of possible domain names above overlap.

Squid uses splay trees internally. So when there are two overlapping
entries, which one will be found and tested against will change randomly
based on how other things affect the splay. Which will cause random
rejections for the *.addons.mozilla.org sub-domains.

Thus having both is a problem. Which way around you place them in the
list of ACL values determins whether Squid can drop one (and just warn)
or not (the error).


More information about the squid-users mailing list