[squid-users] adaptation_access not working with squid acl's

Wed Jul 20 23:08:36 UTC 2016

Thank you myportname did the trick!

On Jul 16, 2016 8:21 AM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:

> On 16/07/2016 2:38 a.m., Stephen Stark wrote:
> > Hello,
> >
> > I think I figured out what the problem is but I'd appreciate if someone
> > could check my reasoning.
> >
> > My ACL is type localport, so I'm targeting the original request to Squid
> > based on the Squid port the client is connecting to:
> >
> > acl test localport 4000
> >
> > Then I enable adaptation_access based on the ACL test:
> >
> > adaptation_access service_avi_req allow test
> > adaptation_access service_avi_resp allow test
> >
> > So here is where I think the problem is.  The client is connecting to
> Squid
> > on port 4000, so the initial request it put in the ACL "test", however
> for
> > some reason this ACL is not being
> > hit when adaptation_access is being used.
>
> Correct. Something named "Test" with an upper-case 'T' is being checked.
>
> > I'm wondering if the reason is
> > because localport is no longer the port the client connected to Squid on,
> > but rather the port Squid is using to connect to the ICAP server?
> >
> > I've verified with full debugging that the test ACL is not matched in the
> > adaptation checks:
> >
> > (initial request)
> >
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> > '64.182.224.149'
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:
> > '64.182.224.149' NOT found
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> 'none'
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> > found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > nobumpSites = 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rule) = 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test =
> 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rule) = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rules) = 1
>
> Notice how the above are ssl_bump rules.
>
> http_access and adaptation_access checking for the initial request
> happen long before ssl_bump is reached.
>
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf3c2f8
> > answer ALLOWED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED
> >
> > (And now I'm guessing this is adaptation checking ACL's)
> >
>
> No need to guess. Squid logs the type of *_access that is being checked.
> see above about how I determined those were ssl_bump rules.
>  ...
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> > 192.168.100.6:61769' found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > http_access#1 = 1
>
> ... so these are http_access being checked.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > http_access = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf40bb8
> > answer ALLOWED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED
>
> ... the request is ALLOWED (to use the proxy) by http_access.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test =
> 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access#1 = 0
>
> ... this is adaptation_access.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> > 192.168.100.6:61769' found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
>
> So, er, a line "adaptation_access ... deny all" is being checked.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access#2 = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf3c2f8
> > answer DENIED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED
>
> adaptation_access rules DENIED adaptation being used on this request.
>
>
> Port(s) were never considered. Only IP address to match the "all" ACL.
>
> What is the full set of adaptation_access line in your config ?
> It seems there are more or different entries from the ones you mentioned
> already.
>
> >
> > What I don't get however is in this above log entry snapshot, the client
> > source port (192.168.100.6) is shown, so I'd assume the localport would
> > match.
>
> Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or
> tproxy ?
>
> TCP port numbers are different in value and/or meaning for each of the
> above. It's things like that which are why the "myportname" ACL is
> preferred over any checking of the port values.
>
> Use name= option on any *_port to name it explicitly, otherwise its name
> will be the textual representation of whatever exists in the host:port /
> IP:port field of the line.
>
> >
> > This works if I change the ACL type to src IP address rather than
> > localport, however the whole point of this is because I have another
> > facility that is categorizing users by group and distributing them to
> Squid
> > on specific destination ports.  So I really need this to work based on
> > localport.
> >
> > Any thoughts?
> >
>
> Please try 'myportname' ACL.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160720/fba6f845/attachment-0001.html>