[squid-users] ACL matches when it shouldn't

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 29 14:08:38 UTC 2020


On 30/09/20 2:27 am, Vieri wrote:
> Hi,
> 
> I have a url_regex ACL loaded with this file:
> 
> https://drive.google.com/file/d/1C5aZqPfMD3qlVP8zvm67c9ZnXUfz-cEW/view?usp=sharing
> 
> Then I have an access denial like so:
> 
> http_access deny bad_dst_urls
> 
> Problem is that I am not expecting to block, eg. https://www.google.com, but I am.
> I know it's this ACL because if I remove the htttp_access deny line above, the browser can access  just fine.
> 
> I've been  looking around this file for possible matches  for google.com, but there shouldn't be.

None of the file entries are anchored regex. So any one of them could match.


> 
> Can anyone please let me know if there's a match, or how to enable debugging  to see which record in this ACL is actually triggering the denial?

To do that we will need to see the complete and exact URL which is being
blocked incorrectly.


NP: a large number of that files entries can be far more efficiently
blocked using the dstdomain ACL type. For example:

  acl blacklist dstdomain .appspot.com


Amos


More information about the squid-users mailing list