<!DOCTYPE html>
<html data-lt-installed="true">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body style="padding-bottom: 1px;">
<p>Hi Alex,<br>
Thnks for your reply.</p>
<p>Logs uploaded again, you can find it here.</p>
<p><a class="moz-txt-link-freetext" href="https://we.tl/t-QiSKMgclOb">https://we.tl/t-QiSKMgclOb</a></p>
<p>Best regards<br>
</p>
<div class="moz-cite-prefix">On 15/04/2024 14:12, Alex Rousskov
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01c18e16-e7f2-462e-9c55-3cf6adc33e84@measurement-factory.com">On
2024-04-14 17:23, Andre Bolinhas wrote:
<br>
<br>
<blockquote type="cite">Any tip on this matter? I want to upgrade
to squid 6.9 but due to this issue, i'm stuck.
<br>
</blockquote>
<br>
<br>
Hi Andre,
<br>
<br>
Please note that I did _not_ receive your email quoted below.
It is in the email archive, so the problem is not on your end, but
I just wanted to mention that I was not (knowingly) ignoring you.
<br>
<br>
> I have re-uploaded the cache.log files.
<br>
<br>
The files have expired again. I have reviewed the diff you shared,
but cannot make further progress without those test logs.
Hopefully, your next list post reaches me.
<br>
<br>
Alex.
<br>
<br>
<br>
<blockquote type="cite">On 01/04/2024 11:53, Andre Bolinhas wrote:
<br>
<blockquote type="cite">
<br>
Hi Alex
<br>
<br>
Thanks for your help on the matter.
<br>
<br>
<br>
<blockquote type="cite">The logs archive you shared previously
has expired, so I cannot double check, but from what I
remember, the shared logs did not support the above
assertion, so there may be more to the story here. However,
to make progress, let's assume that v5 configuration files
are identical to v6 configuration files. </blockquote>
If you want, I can run the same test with in a different debug
parameters, just tell which ones.
<br>
<br>
I have re-uploaded the cache.log files.
<br>
<a class="moz-txt-link-freetext" href="https://we.tl/t-AB4XuUwuf7">https://we.tl/t-AB4XuUwuf7</a>
<br>
<br>
<blockquote type="cite">One way to answer all of the above
questions is to look at the following output:
<br>
<br>
squid -k parse ... |& grep Processing:.http_access </blockquote>
There is no diff between both squid version, you can check it
here
<br>
DiffNow - Compare Files, URLs, and Clipboard Contents Online
<a class="moz-txt-link-rfc2396E" href="https://www.diffnow.com/report/jsrva"><https://www.diffnow.com/report/jsrva></a>
<br>
<br>
<blockquote type="cite">The logs archive you shared previously
has expired, so I cannot double check, but from what I
remember, the shared logs did not support the above
assertion, so there may be more to the story here. However,
to make progress, let's assume that v5 configuration files
are identical to v6 configuration files.
<br>
</blockquote>
The configuration files / folder are the same, the server is
the same, the only thing that changes is the Squid version
<br>
<br>
On 29/03/2024 17:40, Alex Rousskov wrote:
<br>
<blockquote type="cite">On 2024-03-25 15:13, Bolinhas André
wrote:
<br>
<br>
<blockquote type="cite">Yes, the configuration is the same
for both versions.
<br>
</blockquote>
<br>
The logs archive you shared previously has expired, so I
cannot double check, but from what I remember, the shared
logs did not support the above assertion, so there may be
more to the story here. However, to make progress, let's
assume that v5 configuration files are identical to v6
configuration files.
<br>
<br>
1. Is there an "http_access allow all AnnotateFinalAllow"
rule?
<br>
<br>
2. Is there an "http_access deny HTTP Group38
AnnotateRule28" rule?
<br>
<br>
3. Assuming the answers are "yes" and "yes", which rule
comes first? If you use include files, this question applies
to the imaginary preprocessed squid.conf file with all the
include files inlined (recursively if needed). That kind of
preprocessed configuration is what Squid effectively sees
when compiling http_access rules, one by one. Which of the
two rules will Squid see first?
<br>
<br>
One way to answer all of the above questions is to look at
the following output:
<br>
<br>
squid -k parse ... |& grep Processing:.http_access
<br>
<br>
Replace "..." with your regular squid startup command line
options and adjust standard error redirection (|&) as
needed for your shell. Run the above command for both Squid
v5 and v6 binaries. You should see output like this:
<br>
<br>
<br>
<blockquote type="cite">2024/03/29 13:31:05| Processing:
http_access allow manager
<br>
2024/03/29 13:31:05| Processing: http_access deny all
<br>
</blockquote>
<br>
<br>
HTH,
<br>
<br>
Alex.
<br>
<br>
<br>
<blockquote type="cite">------------------------------------------------------------------------
<br>
*De:* Alex Rousskov
<a class="moz-txt-link-rfc2396E" href="mailto:rousskov@measurement-factory.com"><rousskov@measurement-factory.com></a>
<br>
*Enviado:* segunda-feira, 25 de março de 2024 19:12
<br>
*Para:* <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
*Assunto* Re: [squid-users] ACL / http_access rules stop
work using Squid 6+
<br>
<br>
<br>
<br>
On 2024-03-22 09:38, Andre Bolinhas wrote:
<br>
<br>
> In previous versions of squid, from 3 to 5.9, I use
this kind of deny
<br>
> rules and they work like charm
<br>
>
<br>
> acl AnnotateRule28 annotate_transaction
accessrule=Rule28
<br>
> http_access deny HTTP Group38 AnnotateRule28
<br>
>
<br>
> This allows me to deny objects without bump / show
the error page
<br>
> (deny_info)
<br>
>
<br>
> But using squid 6+ this rules stop to work and
everything is allowed.
<br>
>
<br>
> Example:
<br>
> Squid 5.9 (OK)
<br>
> <a class="moz-txt-link-freetext" href="https://ibb.co/YdKgL1Y">https://ibb.co/YdKgL1Y</a>
<br>
>
<br>
> Squid 6.8 (NOK)
<br>
> <a class="moz-txt-link-freetext" href="https://ibb.co/tbyY2GV">https://ibb.co/tbyY2GV</a>
<br>
>
<br>
> Sample of both cache.log in debug mode
<br>
>
<br>
> <a class="moz-txt-link-freetext" href="https://we.tl/t-T7Nz1rVbVu">https://we.tl/t-T7Nz1rVbVu</a>
<br>
<br>
<br>
In you v6 logs, most logged transactions are allowed
because a rule
<br>
similar to the one reconstructed below is matching:
<br>
<br>
http_access allow all AnnotateFinalAllow
<br>
<br>
<br>
There are similar cases in v5 logs as well, but most
denied v5
<br>
transactions match the following rule instead (i.e. the
one you shared
<br>
above):
<br>
<br>
http_access deny HTTP Group38 AnnotateRule28
<br>
<br>
<br>
In your Squid configuration, v6 allow rule is listed much
higher than v5
<br>
deny rule (#43 vs #149). I do not see any signs of Group38
or
<br>
AnnotateRule28 ACL evaluation in v6 logs, as if the rule
sets are
<br>
different for two different Squid instances. Are you using
the same set
<br>
of http_access rules for both Squid versions?
<br>
<br>
Alex.
<br>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
<br>
</blockquote>
</body>
<lt-container></lt-container>
</html>