[squid-users] ACL / http_access rules stop work using Squid 6+

Alex Rousskov rousskov at measurement-factory.com
Fri Mar 29 17:40:58 UTC 2024 

On 2024-03-25 15:13, Bolinhas André wrote:

> Yes, the configuration is the same for both versions.

The logs archive you shared previously has expired, so I cannot double 
check, but from what I remember, the shared logs did not support the 
above assertion, so there may be more to the story here. However, to 
make progress, let's assume that v5 configuration files are identical to 
v6 configuration files.

1. Is there an "http_access allow all AnnotateFinalAllow" rule?

2. Is there an "http_access deny HTTP Group38 AnnotateRule28" rule?

3. Assuming the answers are "yes" and "yes", which rule comes first? If 
you use include files, this question applies to the imaginary 
preprocessed squid.conf file with all the include files inlined 
(recursively if needed). That kind of preprocessed configuration is what 
Squid effectively sees when compiling http_access rules, one by one. 
Which of the two rules will Squid see first?

One way to answer all of the above questions is to look at the following 
output:

     squid -k parse ... |& grep Processing:.http_access

Replace "..." with your regular squid startup command line options and 
adjust standard error redirection (|&) as needed for your shell. Run the 
above command for both Squid v5 and v6 binaries. You should see output 
like this:


> 2024/03/29 13:31:05| Processing: http_access allow manager
> 2024/03/29 13:31:05| Processing: http_access deny all


HTH,

Alex.


> ------------------------------------------------------------------------
> *De:* Alex Rousskov <rousskov at measurement-factory.com>
> *Enviado:* segunda-feira, 25 de março de 2024 19:12
> *Para:* squid-users at lists.squid-cache.org
> *Assunto* Re: [squid-users] ACL / http_access rules stop work using Squid 6+
> 
> 
> 
> On 2024-03-22 09:38, Andre Bolinhas wrote:
> 
>  > In previous versions of squid, from 3 to 5.9, I use this kind of deny
>  > rules and they work like charm
>  >
>  > acl AnnotateRule28 annotate_transaction accessrule=Rule28
>  > http_access deny HTTP Group38 AnnotateRule28
>  >
>  > This allows me to deny objects without bump / show the error page
>  > (deny_info)
>  >
>  > But using squid 6+ this rules stop to work and everything is allowed.
>  >
>  > Example:
>  > Squid 5.9 (OK)
>  > https://ibb.co/YdKgL1Y
>  >
>  > Squid 6.8 (NOK)
>  > https://ibb.co/tbyY2GV
>  >
>  > Sample of both cache.log in debug mode
>  >
>  > https://we.tl/t-T7Nz1rVbVu
> 
> 
> In you v6 logs, most logged transactions are allowed because a rule
> similar to the one reconstructed below is matching:
> 
>       http_access allow all AnnotateFinalAllow
> 
> 
> There are similar cases in v5 logs as well, but most denied v5
> transactions match the following rule instead (i.e. the one you shared
> above):
> 
>       http_access deny HTTP Group38 AnnotateRule28
> 
> 
> In your Squid configuration, v6 allow rule is listed much higher than v5
> deny rule (#43 vs #149). I do not see any signs of Group38 or
> AnnotateRule28 ACL evaluation in v6 logs, as if the rule sets are
> different for two different Squid instances. Are you using the same set
> of http_access rules for both Squid versions?
> 
> Alex.
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list