[squid-users] ACL / http_access rules stop work using Squid 6+
Alex Rousskov
rousskov at measurement-factory.com
Mon Apr 15 13:12:33 UTC 2024
On 2024-04-14 17:23, Andre Bolinhas wrote:
> Any tip on this matter? I want to upgrade to squid 6.9 but due to this
> issue, i'm stuck.
Hi Andre,
Please note that I did _not_ receive your email quoted below. It is
in the email archive, so the problem is not on your end, but I just
wanted to mention that I was not (knowingly) ignoring you.
> I have re-uploaded the cache.log files.
The files have expired again. I have reviewed the diff you shared, but
cannot make further progress without those test logs. Hopefully, your
next list post reaches me.
Alex.
> On 01/04/2024 11:53, Andre Bolinhas wrote:
>>
>> Hi Alex
>>
>> Thanks for your help on the matter.
>>
>>
>>> The logs archive you shared previously has expired, so I cannot
>>> double check, but from what I remember, the shared logs did not
>>> support the above assertion, so there may be more to the story here.
>>> However, to make progress, let's assume that v5 configuration files
>>> are identical to v6 configuration files.
>> If you want, I can run the same test with in a different debug
>> parameters, just tell which ones.
>>
>> I have re-uploaded the cache.log files.
>> https://we.tl/t-AB4XuUwuf7
>>
>>> One way to answer all of the above questions is to look at the
>>> following output:
>>>
>>> squid -k parse ... |& grep Processing:.http_access
>> There is no diff between both squid version, you can check it here
>> DiffNow - Compare Files, URLs, and Clipboard Contents Online
>> <https://www.diffnow.com/report/jsrva>
>>
>>> The logs archive you shared previously has expired, so I cannot
>>> double check, but from what I remember, the shared logs did not
>>> support the above assertion, so there may be more to the story here.
>>> However, to make progress, let's assume that v5 configuration files
>>> are identical to v6 configuration files.
>> The configuration files / folder are the same, the server is the same,
>> the only thing that changes is the Squid version
>>
>> On 29/03/2024 17:40, Alex Rousskov wrote:
>>> On 2024-03-25 15:13, Bolinhas André wrote:
>>>
>>>> Yes, the configuration is the same for both versions.
>>>
>>> The logs archive you shared previously has expired, so I cannot
>>> double check, but from what I remember, the shared logs did not
>>> support the above assertion, so there may be more to the story here.
>>> However, to make progress, let's assume that v5 configuration files
>>> are identical to v6 configuration files.
>>>
>>> 1. Is there an "http_access allow all AnnotateFinalAllow" rule?
>>>
>>> 2. Is there an "http_access deny HTTP Group38 AnnotateRule28" rule?
>>>
>>> 3. Assuming the answers are "yes" and "yes", which rule comes first?
>>> If you use include files, this question applies to the imaginary
>>> preprocessed squid.conf file with all the include files inlined
>>> (recursively if needed). That kind of preprocessed configuration is
>>> what Squid effectively sees when compiling http_access rules, one by
>>> one. Which of the two rules will Squid see first?
>>>
>>> One way to answer all of the above questions is to look at the
>>> following output:
>>>
>>> squid -k parse ... |& grep Processing:.http_access
>>>
>>> Replace "..." with your regular squid startup command line options
>>> and adjust standard error redirection (|&) as needed for your shell.
>>> Run the above command for both Squid v5 and v6 binaries. You should
>>> see output like this:
>>>
>>>
>>>> 2024/03/29 13:31:05| Processing: http_access allow manager
>>>> 2024/03/29 13:31:05| Processing: http_access deny all
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>>
>>>
>>>> ------------------------------------------------------------------------
>>>> *De:* Alex Rousskov <rousskov at measurement-factory.com>
>>>> *Enviado:* segunda-feira, 25 de março de 2024 19:12
>>>> *Para:* squid-users at lists.squid-cache.org
>>>> *Assunto* Re: [squid-users] ACL / http_access rules stop work using
>>>> Squid 6+
>>>>
>>>>
>>>>
>>>> On 2024-03-22 09:38, Andre Bolinhas wrote:
>>>>
>>>> > In previous versions of squid, from 3 to 5.9, I use this kind of
>>>> deny
>>>> > rules and they work like charm
>>>> >
>>>> > acl AnnotateRule28 annotate_transaction accessrule=Rule28
>>>> > http_access deny HTTP Group38 AnnotateRule28
>>>> >
>>>> > This allows me to deny objects without bump / show the error page
>>>> > (deny_info)
>>>> >
>>>> > But using squid 6+ this rules stop to work and everything is
>>>> allowed.
>>>> >
>>>> > Example:
>>>> > Squid 5.9 (OK)
>>>> > https://ibb.co/YdKgL1Y
>>>> >
>>>> > Squid 6.8 (NOK)
>>>> > https://ibb.co/tbyY2GV
>>>> >
>>>> > Sample of both cache.log in debug mode
>>>> >
>>>> > https://we.tl/t-T7Nz1rVbVu
>>>>
>>>>
>>>> In you v6 logs, most logged transactions are allowed because a rule
>>>> similar to the one reconstructed below is matching:
>>>>
>>>> http_access allow all AnnotateFinalAllow
>>>>
>>>>
>>>> There are similar cases in v5 logs as well, but most denied v5
>>>> transactions match the following rule instead (i.e. the one you shared
>>>> above):
>>>>
>>>> http_access deny HTTP Group38 AnnotateRule28
>>>>
>>>>
>>>> In your Squid configuration, v6 allow rule is listed much higher
>>>> than v5
>>>> deny rule (#43 vs #149). I do not see any signs of Group38 or
>>>> AnnotateRule28 ACL evaluation in v6 logs, as if the rule sets are
>>>> different for two different Squid instances. Are you using the same set
>>>> of http_access rules for both Squid versions?
>>>>
>>>> Alex.
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> https://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list