[squid-users] adaptation_access not working with squid acl's

Amos Jeffries squid3 at treenet.co.nz
Sat Jul 16 12:20:38 UTC 2016 

On 16/07/2016 2:38 a.m., Stephen Stark wrote:
> Hello,
> 
> I think I figured out what the problem is but I'd appreciate if someone
> could check my reasoning.
> 
> My ACL is type localport, so I'm targeting the original request to Squid
> based on the Squid port the client is connecting to:
> 
> acl test localport 4000
> 
> Then I enable adaptation_access based on the ACL test:
> 
> adaptation_access service_avi_req allow test
> adaptation_access service_avi_resp allow test
> 
> So here is where I think the problem is.  The client is connecting to Squid
> on port 4000, so the initial request it put in the ACL "test", however for
> some reason this ACL is not being
> hit when adaptation_access is being used.

Correct. Something named "Test" with an upper-case 'T' is being checked.

> I'm wondering if the reason is
> because localport is no longer the port the client connected to Squid on,
> but rather the port Squid is using to connect to the ICAP server?
> 
> I've verified with full debugging that the test ACL is not matched in the
> adaptation checks:
> 
> (initial request)
> 
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> checking slow rules
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> '64.182.224.149'
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:
> '64.182.224.149' NOT found
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking 'none'
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> found
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> nobumpSites = 0
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
> rule) = 0
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
> rule) = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
> rules) = 1

Notice how the above are ssl_bump rules.

http_access and adaptation_access checking for the initial request
happen long before ssl_bump is reached.


> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8
> answer ALLOWED for match
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED
> 
> (And now I'm guessing this is adaptation checking ACL's)
> 

No need to guess. Squid logs the type of *_access that is being checked.
see above about how I determined those were ssl_bump rules.
 ...

> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8
> checking slow rules
> 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> 192.168.100.6:61769' found
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#1 = 1

... so these are http_access being checked.

> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf40bb8
> answer ALLOWED for match
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED

... the request is ALLOWED (to use the proxy) by http_access.

> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> checking slow rules
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 0
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> adaptation_access#1 = 0

... this is adaptation_access.

> 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> 192.168.100.6:61769' found
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1

So, er, a line "adaptation_access ... deny all" is being checked.

> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> adaptation_access#2 = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> adaptation_access = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8
> answer DENIED for match
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED

adaptation_access rules DENIED adaptation being used on this request.


Port(s) were never considered. Only IP address to match the "all" ACL.

What is the full set of adaptation_access line in your config ?
It seems there are more or different entries from the ones you mentioned
already.

> 
> What I don't get however is in this above log entry snapshot, the client
> source port (192.168.100.6) is shown, so I'd assume the localport would
> match.

Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or
tproxy ?

TCP port numbers are different in value and/or meaning for each of the
above. It's things like that which are why the "myportname" ACL is
preferred over any checking of the port values.

Use name= option on any *_port to name it explicitly, otherwise its name
will be the textual representation of whatever exists in the host:port /
IP:port field of the line.

> 
> This works if I change the ACL type to src IP address rather than
> localport, however the whole point of this is because I have another
> facility that is categorizing users by group and distributing them to Squid
> on specific destination ports.  So I really need this to work based on
> localport.
> 
> Any thoughts?
> 

Please try 'myportname' ACL.

Amos

More information about the squid-users mailing list