[squid-users] 2.7.STABLE9 & Error with option deny_info from local requests

Mark Riede m.riede at babiel.com
Thu Dec 4 12:55:42 UTC 2014


That was the fix. I´ve removed the line ' http_access allow localhost'.
Thank you.

-----Ursprüngliche Nachricht-----
Von: Amos Jeffries [mailto:squid3 at treenet.co.nz] 
Gesendet: Mittwoch, 3. Dezember 2014 16:39
An: Mark Riede; 'squid-users at lists.squid-cache.org'
Betreff: Re: AW: [squid-users] 2.7.STABLE9 & Error with option deny_info from local requests

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/12/2014 3:49 a.m., Mark Riede wrote:
>>> 
>>> # Config http_access allow localhost
> 
>> The above rule permits all traffic from 127.0.0.1 to go through this 
>> proxy *no matter what*. From your description that would be all 
>> traffic arriving from nginx **AND** any traffic you direct at 
>> 127.0.0.1 IP from any other software.
> Thank you for your consideration. I will consider it.
> 
>> It is a very bad thing to do, particularly for a reverse-proxy.
>> Remove it and traffic from nginx (and yoru 127.0.0.1 tests) will 
>> start to obey the other rules. Not a complete fix, but required for 
>> Squid to work as you expect.
> 
>>> acl foo dstdomain "/file" acl foo_deny dstdom_regex "/ file _deny" 
>>> http_access allow foo
> 
>> When testing this ACL with a raw-IP Squid will lookup reverse-DNS of 
>> the IPand compare the result with contents of /file. Meaning
>> 127.0.0.1 == "localhost" --> is "localhost" one of the peer hosted 
>> domain names? should not be.
> Which version was in use? Is it possible to override this behaviour?

Only after an upgrade to a current Squid-3 version for the DNS no-lookup feature.

You do not actually need the "http_access allow localhost" line at all though. All it seems to be doing is causing this problem.

If you were perhapse relying on it for access to the Squid cachemgr reports, then replace it with this:
  acl mgr url_regex -i ^cache_object://
  http_access allow localhost mgr


> I don´t think it is the right location of the problem. Everything 
> works well except the option deny_info.

The "deny_info ... foo_deny" is just an instruction/directive on the "foo_deny" ACL to what will happen IF (and only IF) foo_deny is used in http_access to deny a request.

If the either of the previous http_access allow lines are being acted on then it will not happen.

"allow localhost" will act on 127.0.0.1/localhost nginx requests in your config. Causing the foo_deny never to be enacted. Causing the deny_info to not happen. See?


Assuming Nginx is presenting Squid with correct Host headers then removing the "http_access allow localhost" is all you need to fix the deny_info problem.

After changing that you may still see some *other* errors with traffic from Nginx. For those you will need to investigate the Host header in those requests and decide what is the right thing to be done to fix that other problem.

HTH
Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUfy59AAoJELJo5wb/XPRjGzwIANhBfDa56/sjgMvx2mlvUasV
Oet0PGyFfdCkaY+cKcFIxERWUnAripXhK0JdasQ7795uOZRMIKbTVYy6mKF8/EoN
HsIkW6VaKJ3x15E1kebKSIqANcpcWl0nX6SrswODJGRG561QcXdSZ+k1NwOOPWpv
YbBKRcVs5WhW+AaRh+e9bLU/K152PVyY44A6/sY7MavhmMc91EIxgrw77v3tUIus
HIm4Lidr6D868iRqnimVu7TRCZnHwCWInYv0sy7gFQU5/EEh6nOrWRceJ9MYHU2k
bFjh4t+ixGBcYv0NwnXVOaC1mise/VoCitjWmZ9zbooQby/d7B3mooIpDJXF8uE=
=RwXb
-----END PGP SIGNATURE-----


More information about the squid-users mailing list