[squid-users] behavior of external acl helper in Squid 3.5.13
Sreenath BH
bhsreenath at gmail.com
Fri Jan 22 17:02:44 UTC 2016
Hi
I am using an external helper for authentication. I have just one
http_access in squid.conf that refers to this external helper.
I also have a url rewriter to which I pass some information using "tag" key.
I observed that the acl is not invoked in several cases, just calling
the url rewriter.
Squid sometimes seems to skip acl phase and directly proceeds to url rewriter.
Are there cases when squid proceedss without performing external acl?
Please see log lines below:
------------------
2016/01/22 14:46:52.091 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://localhost:3000/file/download?key=XXXYYY' into
proto='http', host='localhost', port='3000',
path='/file/download?key=XXXYYY'
2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1309) helperDispatch:
helperDispatch: Request sent to jio_helper #Hlpr4, 26 bytes
2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(386) helperSubmit:
buf[26]=/file/download?key=XXXYYY
2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(866) helperHandleRead:
helperHandleRead: 18 bytes from jio_helper #Hlpr4
2016/01/22 14:46:52.091 kid1| 84,9| helper.cc(875) helperHandleRead:
accumulated[18]=OK tag=something4
2016/01/22 14:46:52.091 kid1| 84,3| helper.cc(892) helperHandleRead:
helperHandleRead: end of reply found
2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer
2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(48) parse: Buff length is
larger than 2
2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch:
helperDispatch: Request sent to redirector #Hlpr2, 58 bytes
2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit:
buf[58]=http://localhost:3000/file/download?key=XXXYYY something4
2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
*** http://localhost:3000/file/download?key=XXXYYY something4
2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead:
helperHandleRead: 28 bytes from redirector #Hlpr2
2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead:
accumulated[28]=OK rewrite-url="something4"
2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead:
helperHandleRead: end of reply found
2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer
2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is
larger than 2
2016/01/22 14:46:52.091 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
2016/01/22 14:46:52.091 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1309) helperDispatch:
helperDispatch: Request sent to redirector #Hlpr2, 58 bytes
2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(386) helperSubmit:
buf[58]=http://localhost:3000/file/download?key=XXXYYY something4
2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(866) helperHandleRead:
helperHandleRead: 28 bytes from redirector #Hlpr2
2016/01/22 14:46:52.092 kid1| 84,9| helper.cc(875) helperHandleRead:
accumulated[28]=OK rewrite-url="something4"
2016/01/22 14:46:52.092 kid1| 84,3| helper.cc(892) helperHandleRead:
helperHandleRead: end of reply found
2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer
2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(48) parse: Buff length is
larger than 2
2016/01/22 14:46:52.092 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
2016/01/22 14:46:52.092 kid1| ERROR: URL-rewrite produces invalid
request: GET something4 HTTP/1.1
2016/01/22 14:46:52.092 kid1| 11,5| HttpRequest.cc(474) detailError:
current error details: 6/0
2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1391)
sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35075 FD
9 flags=1
2016/01/22 14:46:52.092 kid1| 11,2| client_side.cc(1392)
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 500 Internal Server Error^M
Server: squid/3.5.13^M
Mime-Version: 1.0^M
Date: Fri, 22 Jan 2016 14:46:52 GMT^M
Content-Type: text/html;charset=utf-8^M
Content-Length: 3889^M
X-Squid-Error: ERR_CANNOT_FORWARD 0^M
Vary: Accept-Language^M
Content-Language: en^M
X-Cache: MISS from TEJ-DL-CS-SERVER04^M
Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M
Connection: keep-alive^M
^M
----------
2016/01/22 14:46:52.092 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2345)
parseHttpRequest: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD 9
flags=1
2016/01/22 14:47:13.103 kid1| 11,2| client_side.cc(2346)
parseHttpRequest: HTTP Client REQUEST:
---------
GET /file/download?key=XXXYYY HTTP/1.1^M
User-Agent: curl/7.37.1^M
Host: localhost:3000^M
Accept: */*^M
^M
----------
2016/01/22 14:47:13.103 kid1| 23,3| url.cc(357) urlParse: urlParse:
Split URL 'http://localhost:3000/file/download?key=XXXYYY' into
proto='http', host='localhost', port='3000',
path='/file/download?key=XXXYYY'
2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1167) GetFirstAvailable:
GetFirstAvailable: Running servers 1
2016/01/22 14:47:13.103 kid1| 84,5| helper.cc(1309) helperDispatch:
helperDispatch: Request sent to redirector #Hlpr2, 58 bytes
2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(386) helperSubmit:
buf[58]=http://localhost:3000/file/download?key=XXXYYY something4
*** http://localhost:3000/file/download?key=XXXYYY something4
2016/01/22 14:47:13.104 kid1| 84,5| helper.cc(866) helperHandleRead:
helperHandleRead: 28 bytes from redirector #Hlpr2
2016/01/22 14:47:13.104 kid1| 84,9| helper.cc(875) helperHandleRead:
accumulated[28]=OK rewrite-url="something4"
2016/01/22 14:47:13.104 kid1| 84,3| helper.cc(892) helperHandleRead:
helperHandleRead: end of reply found
2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(29) parse: Parsing helper buffer
2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(48) parse: Buff length is
larger than 2
2016/01/22 14:47:13.104 kid1| 84,3| Reply.cc(52) parse: helper Result = OK
2016/01/22 14:47:13.104 kid1| ERROR: URL-rewrite produces invalid
request: GET something4 HTTP/1.1
2016/01/22 14:47:13.104 kid1| 11,5| HttpRequest.cc(474) detailError:
current error details: 6/0
2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1391)
sendStartOfMessage: HTTP Client local=[::1]:3000 remote=[::1]:35076 FD
9 flags=1
2016/01/22 14:47:13.104 kid1| 11,2| client_side.cc(1392)
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 500 Internal Server Error^M
Server: squid/3.5.13^M
Mime-Version: 1.0^M
Date: Fri, 22 Jan 2016 14:47:13 GMT^M
Content-Type: text/html;charset=utf-8^M
Content-Length: 3889^M
X-Squid-Error: ERR_CANNOT_FORWARD 0^M
Vary: Accept-Language^M
Content-Language: en^M
X-Cache: MISS from TEJ-DL-CS-SERVER04^M
Via: 1.1 TEJ-DL-CS-SERVER04 (squid/3.5.13)^M
Connection: keep-alive^M
^M
----------------------------------
Here is Squid.conf
debug_options ALL,1 31,10 23,10 84,10 11,10,44
redirect_rewrites_host_header off
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
###http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
###http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
## http_access allow localhost manager
## http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
external_acl_type jio_helper children-max=1 %PATH /usr/local/bin/acl
acl AclName external jio_helper
http_access allow AclName
#http_access allow localnet
#http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3000 accel defaultsite=mysite.com vhost
url_rewrite_program /usr/local/bin/rewrite
url_rewrite_extras "%et"
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
--------------
As can be seen above, the first time a request was sent, the external
ACL helper was called, and then the url rewrite was called. When the
same request was repeated, squid skipped the acl helper, and proceeded
with URL rewriter.
If the acl helpers have exited, does squid stop processing requests?
Also, does setting the "tag" or clt_conn_tag have any effect on the
processing of requests by squid?
thanks,
Sreenath
More information about the squid-users
mailing list