[squid-users] adaptation_access not working with squid acl's
Amos Jeffries
squid3 at treenet.co.nz
Sat Jul 16 12:20:38 UTC 2016
On 16/07/2016 2:38 a.m., Stephen Stark wrote:
> Hello,
>
> I think I figured out what the problem is but I'd appreciate if someone
> could check my reasoning.
>
> My ACL is type localport, so I'm targeting the original request to Squid
> based on the Squid port the client is connecting to:
>
> acl test localport 4000
>
> Then I enable adaptation_access based on the ACL test:
>
> adaptation_access service_avi_req allow test
> adaptation_access service_avi_resp allow test
>
> So here is where I think the problem is. The client is connecting to Squid
> on port 4000, so the initial request it put in the ACL "test", however for
> some reason this ACL is not being
> hit when adaptation_access is being used.
Correct. Something named "Test" with an upper-case 'T' is being checked.
> I'm wondering if the reason is
> because localport is no longer the port the client connected to Squid on,
> but rather the port Squid is using to connect to the ICAP server?
>
> I've verified with full debugging that the test ACL is not matched in the
> adaptation checks:
>
> (initial request)
>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> checking slow rules
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> '64.182.224.149'
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:
> '64.182.224.149' NOT found
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking 'none'
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> found
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> nobumpSites = 0
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
> rule) = 0
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
> rule) = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump
> rules) = 1
Notice how the above are ssl_bump rules.
http_access and adaptation_access checking for the initial request
happen long before ssl_bump is reached.
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8
> answer ALLOWED for match
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED
>
> (And now I'm guessing this is adaptation checking ACL's)
>
No need to guess. Squid logs the type of *_access that is being checked.
see above about how I determined those were ssl_bump rules.
...
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8
> checking slow rules
> 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> 192.168.100.6:61769' found
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access#1 = 1
... so these are http_access being checked.
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> http_access = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf40bb8
> answer ALLOWED for match
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED
... the request is ALLOWED (to use the proxy) by http_access.
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> checking slow rules
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 0
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> adaptation_access#1 = 0
... this is adaptation_access.
> 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> 192.168.100.6:61769' found
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
So, er, a line "adaptation_access ... deny all" is being checked.
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> adaptation_access#2 = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> adaptation_access = 1
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8
> answer DENIED for match
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED
adaptation_access rules DENIED adaptation being used on this request.
Port(s) were never considered. Only IP address to match the "all" ACL.
What is the full set of adaptation_access line in your config ?
It seems there are more or different entries from the ones you mentioned
already.
>
> What I don't get however is in this above log entry snapshot, the client
> source port (192.168.100.6) is shown, so I'd assume the localport would
> match.
Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or
tproxy ?
TCP port numbers are different in value and/or meaning for each of the
above. It's things like that which are why the "myportname" ACL is
preferred over any checking of the port values.
Use name= option on any *_port to name it explicitly, otherwise its name
will be the textual representation of whatever exists in the host:port /
IP:port field of the line.
>
> This works if I change the ACL type to src IP address rather than
> localport, however the whole point of this is because I have another
> facility that is categorizing users by group and distributing them to Squid
> on specific destination ports. So I really need this to work based on
> localport.
>
> Any thoughts?
>
Please try 'myportname' ACL.
Amos
More information about the squid-users
mailing list