[squid-users] ACLs allow/deny logic
Alex Rousskov
rousskov at measurement-factory.com
Tue Jun 27 16:26:48 UTC 2017
On 06/27/2017 12:31 AM, Vieri wrote:
> http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains !allowed_restricted1_ips
> http_reply_access deny denied_restricted1_mimetypes_rep !allowed_restricted1_domains !allowed_restricted1_ips
> http_access deny intercepted !localnet
> http_access allow localnet
> http_access deny all
> "The reply for POST http://149.154.165.120/api is DENIED, because it matched allowed_restricted1_ips"
Squid "matched ACL" reporting code is badly designed and often leads to
misleading results. In this particular case, Squid wanted to say "it
matched !allowed_restricted1_ips" but could not. Older Squids were
especially broken in this area, but even modern ones suffer from the
same design flaw. This flaw is a known problem:
> // XXX: AclMatchedName does not contain a matched ACL name when the acl
> // does not match. It contains the last (usually leaf) ACL name checked
> // (or is NULL if no ACLs were checked).
You can work around most of these problems by appending an
always-matching ACL to every http_access rule you want to identify and
making sure that at least one rule always matches. The former can be
done using an any-of ACL in older Squids or annotate_transaction ACL in
modern Squids. You are already doing the latter with "deny all".
HTH,
Alex.
More information about the squid-users
mailing list