[squid-users] ACL dst handled differently in intercept after rewrite
Craig Gowing
craig.gowing at appliansys.com
Tue Feb 14 17:27:03 UTC 2017
Hi all,
I've got a squid server running which allows direct proxy and also can
intercept traffic:
http_port 10.0.0.1:3128
http_port 10.0.0.1:3129 intercept
---
There is a URL rewriter which allows the incoming requests (this is just an
example, I don't really allow all):
url_rewrite_access allow all
url_rewrite_program /usr/bin/myrewriter
---
This rewriter will rewrite some URLs to a host on the same network, with
the intention that the request should not be cached by squid, eg
http://example.net/somefile.bin -> http://10.0.0.2/example.net/somefile.bin
So a cache_deny directive is used for this:
acl local_store dst 10.0.0.2
cache deny local_store
---
Now when requesting this URL using a defined proxy the ACL matches and the
request is not cached. If using intercept the ACL does not match and it
does get cached (which caused some storage duplication on the network)
The debug info shows the following:
Proxy:
curl -x "10.0.0.1:3128" "http://example.net/somefile.bin" > /dev/null
Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare:
10.0.0.2/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (10.0.0.2) vs
10.0.0.2-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
Intercept:
curl "http://example.net/somefile.bin" > /dev/null # Intercepted on the NAT
tables
Ip.cc(95) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare:
93.184.216.34:80/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (93.184.216.34:80)
vs 10.0.0.2-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
This seems to show that the ACL is processed at a different stage for the
two different modes. Now I'm wondering if this is intentional and I
shouldn't be using the 'dst' ACL here, or should it be more consistant and
give the same result regardless?
I have a solution to use the 'url_regex' ACL instead which seems consistant
between the two modes, but it may slightly affect performance.
I couldn't find a huge amount of info on what order the ACLs are processed,
so if anybody could let me know what the expected behaviour should be that
would be much appreciated.
Thanks,
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170214/c33cd7ab/attachment.html>
More information about the squid-users
mailing list