[squid-users] ACL matches when it shouldn't
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 1 03:00:36 UTC 2020
Ah. Think I found it.
Line 9600 in the earlier file contains a URL with un-escaped "||"
sequence. Pipe is a reserved character in regex so needs \-escaping like
'?' '*' '.', '$', '^, '[', ']', '(', ')', '$' and '\' in the original URL.
See the note below though for long-term fix ...
On 30/09/20 11:03 am, Vieri wrote:
>> None of the file entries are anchored regex. So any one of them could match.
>
>>> Can anyone please let me know if there's a match, or how to enable debugging to see which record in this ACL is actually triggering the denial?
>>
>> To do that we will need to see the complete and exact URL which is being blocked incorrectly.
>
> One of them is https://www.google.com/.
>
>> NP: a large number of that files entries can be far more efficiently blocked using the dstdomain ACL type. For example:
>>
>> Â acl blacklist dstdomain .appspot.com
>
> Agreed. However, this file is generated by an external process I don't control (SOC). It's like a "threat feed" I need to load in Squid.
> The easiest way for me would be to tell Squid that it's just a list of exact URLs, not a list of regexps. I understand that's not possible.
>
Not with the built-in ACLs, but an external ACL helper can do any checks
you want it to. I think that would probably be best to use here.
Amos
More information about the squid-users
mailing list