[squid-users] ACL / http_access rules stop work using Squid 6+

Bolinhas André andre.bolinhas at articatech.com
Wed Mar 27 03:59:23 UTC 2024 

Hi. 

The configuration is the exact copy between squid 5 and squid 6, nothing changes except the squid version. 

Any idea what can cause this issue on squid 6?

Best regards 


Sent from Nine <http://www.9folders.com/> 
--------------------------------
De: Alex Rousskov <rousskov at measurement-factory.com>
Enviado: segunda-feira, 25 de março de 2024 19:12
Para: squid-users at lists.squid-cache.org
Assunto Re: [squid-users] ACL / http_access rules stop work using Squid 6+



On 2024-03-22 09:38, Andre Bolinhas wrote:

> In previous versions of squid, from 3 to 5.9, I use this kind of deny 
> rules and they work like charm
> 
> acl AnnotateRule28 annotate_transaction accessrule=Rule28
> http_access deny HTTP Group38 AnnotateRule28
> 
> This allows me to deny objects without bump / show the error page 
> (deny_info)
> 
> But using squid 6+ this rules stop to work and everything is allowed.
> 
> Example:
> Squid 5.9 (OK)
> https://ibb.co/YdKgL1Y
> 
> Squid 6.8 (NOK)
> https://ibb.co/tbyY2GV
> 
> Sample of both cache.log in debug mode
> 
> https://we.tl/t-T7Nz1rVbVu


In you v6 logs, most logged transactions are allowed because a rule 
similar to the one reconstructed below is matching:

     http_access allow all AnnotateFinalAllow


There are similar cases in v5 logs as well, but most denied v5 
transactions match the following rule instead (i.e. the one you shared 
above):

     http_access deny HTTP Group38 AnnotateRule28


In your Squid configuration, v6 allow rule is listed much higher than v5 
deny rule (#43 vs #149). I do not see any signs of Group38 or 
AnnotateRule28 ACL evaluation in v6 logs, as if the rule sets are 
different for two different Squid instances. Are you using the same set 
of http_access rules for both Squid versions?

Alex.

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240327/0538521f/attachment.htm>

More information about the squid-users mailing list