[squid-users] squidGuard: redirect to squid-internal URLs no longer working with 3.5?
Silamael
Silamael at coronamundi.de
Tue Mar 15 13:03:53 UTC 2016
On 03/15/2016 12:52 PM, Amos Jeffries wrote:
>> So, if i try this, i get a 404 response and the ERR_INVALID_REQ page.
>
> Okay. That is the correct behaviour for this situation.
> Squid does not normally load anything at the
> /squid-internal-static/error-access-denied path.
>
> A second bug / undefined behaviour that got fixed in 3.5 was incorrect
> HTTP status codes being delivered on cachemgr and internal responses. It
> now returns 404 Not Found when URL internal URL does not point at an
> object, not "access denied" - because access wasn't denied, the file was
> not found.
>
> The /squid-internal-static/* objects to be loaded are configured in the
> squid /etc/squid/mime.conf configuration file. (though some OS distros
> move it out of /etc/squid for some reason).
>
> However, that would just make the response a 200 OK with the internal
> object as the payload. If you want to retain 403 you need to block the
> re-written URL from being serviced by Squid:
>
> acl SG_deny urlpath_regex ^/squid-internal-static/error-access-denied$
> adapted_http_access deny SG_deny
>
> (If that dont work you can use miss_access instead)
>
>
>> With debugging I can see that there is a request like
>> GET ://127.0.0.1:3128/squid-internal-static/error-access-denied
>> This is indeed an invalid request...
>
> Nod. Though the internal ID being used is correct, so its only the
> output display and upstream messages which are broken. I'm looking into
> that now, but the fix wont change anything relating to your actual
> problem. You will still need to use the above config settings to trigger
> a 403.
>
>
>> If I use http:// instead of internal:// the whole request is forwarded
>> to the upstream cache peer and again replied with ERR_INVALID_REQ...
>> With
>> internal://$visible_hostname:3128/squid-internal-static/error-access-denied
>> the response is a 400 Bad Request with ERR_UNSUP_REQ.
>> According to debugging here again the internal schema is not passed
>> along when building the GET request.
>>
>> BTW, the old URL I used worked for years!
>
> The problem with relying on undefined behaviour is that it can work for
> a long time then disappear without warning.
>
> What I think was going on previously was the parser handling the
> URL-rewriter output accepted the URL with 'squid-internal-static' as
> hostname. When Squid got to the upstream forwarding stage the check for
> internal status did a sub-string check and (wrongly) found
> "/squid-internal-". So decided to handle it as internal. But the
> internal-server logics could not find any object and (wrongly) generated
> a 403 error page.
>
> So a chain of at least 2 bugs being relied on to produce a 403 Access
> Denied, when it should not have. We have now fixed those bugs, so what
> you had relying on them goes splat.
>
> Amos
>
Hi Amos,
Many thanks for these clarifications.
Greetings,
Matthias
More information about the squid-users
mailing list