[squid-users] squid 3.4, dstdomain
Amos Jeffries
squid3 at treenet.co.nz
Thu Dec 10 10:34:52 UTC 2015
On 10/12/2015 11:02 p.m., Massimo.Sala wrote:
> 2015/12/10 10:33:49| ERROR: '.addons.mozilla.org' is a subdomain of
> 'addons.mozilla.org'
>
>
> I thought
> addons.mozilla.org blocks only these hostname
ACLs do not block anything. Access Controls do.
This value tells Squid that addons.mozilla.org is an exact-match. Any
sub-domain is to be a non-match.
>
> .addons.mozilla.org blocks all the sub-domains, like
> www.addons.mozilla.org etc.addons.mozilla.org
This one tells Squid that "addons.mozilla.org" and *all* sub-domains are
to match true.
>
> Which are the parsing rules of squid 3.4 ?
Each entry in the dstdomain ACL must be a unique and distinct match. The
two ranges of possible domain names above overlap.
Squid uses splay trees internally. So when there are two overlapping
entries, which one will be found and tested against will change randomly
based on how other things affect the splay. Which will cause random
rejections for the *.addons.mozilla.org sub-domains.
Thus having both is a problem. Which way around you place them in the
list of ACL values determins whether Squid can drop one (and just warn)
or not (the error).
Amos
More information about the squid-users
mailing list