[squid-users] adaptation_access not working with squid acl's

Stephen Stark logic4life at gmail.com
Fri Jul 15 14:38:40 UTC 2016 

Hello,

I think I figured out what the problem is but I'd appreciate if someone
could check my reasoning.

My ACL is type localport, so I'm targeting the original request to Squid
based on the Squid port the client is connecting to:

acl test localport 4000

Then I enable adaptation_access based on the ACL test:

adaptation_access service_avi_req allow test
adaptation_access service_avi_resp allow test

So here is where I think the problem is.  The client is connecting to Squid
on port 4000, so the initial request it put in the ACL "test", however for
some reason this ACL is not being
hit when adaptation_access is being used. I'm wondering if the reason is
because localport is no longer the port the client connected to Squid on,
but rather the port Squid is using to connect to the ICAP server?

I've verified with full debugging that the test ACL is not matched in the
adaptation checks:

(initial request)

2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
checking slow rules
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
'64.182.224.149'
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:
'64.182.224.149' NOT found
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
found
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
nobumpSites = 0
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
rule) = 0
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
rule) = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
rules) = 1
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8
answer ALLOWED for match
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED

(And now I'm guessing this is adaptation checking ACL's)

2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8
checking slow rules
2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
192.168.100.6:61769' found
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
http_access#1 = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
http_access = 1
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf40bb8
answer ALLOWED for match
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
checking slow rules
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 0
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
adaptation_access#1 = 0
2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
192.168.100.6:61769' found
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
adaptation_access#2 = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
adaptation_access = 1
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8
answer DENIED for match
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED

What I don't get however is in this above log entry snapshot, the client
source port (192.168.100.6) is shown, so I'd assume the localport would
match.

This works if I change the ACL type to src IP address rather than
localport, however the whole point of this is because I have another
facility that is categorizing users by group and distributing them to Squid
on specific destination ports.  So I really need this to work based on
localport.

Any thoughts?





On Fri, Jul 15, 2016 at 6:53 AM, Yuri Voinov <yvoinov at gmail.com> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> 15.07.2016 15:41, Amos Jeffries пишет:
> > On 15/07/2016 6:35 a.m., Yuri Voinov wrote:
> >>
> >>
> >>
>
> http://wiki.squid-cache.org/action/show/HelpOnAccessControlLists?action=show&redirect=HelpOnAcl
> >>
> >
> > Yrui;  note that the "HelpOn" wiki pages are for help using the wiki
> > itself. Not help using Squid.
> Oooooooops. My mistake.
> >
> >
> > I think you meant to reference:
> > <http://wiki.squid-cache.org/SquidFaq/SquidAcl>
> Yes, sure.
> >
> >
> > Amos
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXiMCiAAoJENNXIZxhPexGqdcH/02vxPWujZRDFeK6BZOXkGiX
> IwAR6A3ovJpaucTaQhMXZUblIOcWXKs9MzZ2vwS8dCXaK6cppTWYL5+2rjxelOER
> YE7Sjwf7J1gxC7DoHfvXkCWSL8ueBnF+9xrWj/dflaZBYRqGqdmUq0QT7FqTXXBu
> 8EGnXvyORd7Ta9xgEuhjwLcUkQ51wMRd4CB861LmmidHD2nXm78DaYomIHKanYtD
> fcE+i7G6tQyUBh9V0F5IEa6p6/PfvTokLbO5OlsJhGIE5rb8DoA7P78q7X2WJJi6
> 89dR2mW+G8bcKmnVWLy8gl5Q1k8ByUvkmKbapdsuOOyzKK6grsY7nqE7+MyffRQ=
> =1gkl
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160715/a411f20c/attachment.html>

More information about the squid-users mailing list