[squid-users] ACL / http_access rules stop work using Squid 6+
Andre Bolinhas
andre.bolinhas at articatech.com
Mon Apr 1 10:53:54 UTC 2024
Hi Alex
Thanks for your help on the matter.
> The logs archive you shared previously has expired, so I cannot double
> check, but from what I remember, the shared logs did not support the
> above assertion, so there may be more to the story here. However, to
> make progress, let's assume that v5 configuration files are identical
> to v6 configuration files.
If you want, I can run the same test with in a different debug
parameters, just tell which ones.
I have re-uploaded the cache.log files.
https://we.tl/t-AB4XuUwuf7
> One way to answer all of the above questions is to look at the
> following output:
>
> squid -k parse ... |& grep Processing:.http_access
There is no diff between both squid version, you can check it here
DiffNow - Compare Files, URLs, and Clipboard Contents Online
<https://www.diffnow.com/report/jsrva>
> The logs archive you shared previously has expired, so I cannot double
> check, but from what I remember, the shared logs did not support the
> above assertion, so there may be more to the story here. However, to
> make progress, let's assume that v5 configuration files are identical
> to v6 configuration files.
The configuration files / folder are the same, the server is the same,
the only thing that changes is the Squid version
On 29/03/2024 17:40, Alex Rousskov wrote:
> On 2024-03-25 15:13, Bolinhas André wrote:
>
>> Yes, the configuration is the same for both versions.
>
> The logs archive you shared previously has expired, so I cannot double
> check, but from what I remember, the shared logs did not support the
> above assertion, so there may be more to the story here. However, to
> make progress, let's assume that v5 configuration files are identical
> to v6 configuration files.
>
> 1. Is there an "http_access allow all AnnotateFinalAllow" rule?
>
> 2. Is there an "http_access deny HTTP Group38 AnnotateRule28" rule?
>
> 3. Assuming the answers are "yes" and "yes", which rule comes first?
> If you use include files, this question applies to the imaginary
> preprocessed squid.conf file with all the include files inlined
> (recursively if needed). That kind of preprocessed configuration is
> what Squid effectively sees when compiling http_access rules, one by
> one. Which of the two rules will Squid see first?
>
> One way to answer all of the above questions is to look at the
> following output:
>
> squid -k parse ... |& grep Processing:.http_access
>
> Replace "..." with your regular squid startup command line options and
> adjust standard error redirection (|&) as needed for your shell. Run
> the above command for both Squid v5 and v6 binaries. You should see
> output like this:
>
>
>> 2024/03/29 13:31:05| Processing: http_access allow manager
>> 2024/03/29 13:31:05| Processing: http_access deny all
>
>
> HTH,
>
> Alex.
>
>
>> ------------------------------------------------------------------------
>> *De:* Alex Rousskov <rousskov at measurement-factory.com>
>> *Enviado:* segunda-feira, 25 de março de 2024 19:12
>> *Para:* squid-users at lists.squid-cache.org
>> *Assunto* Re: [squid-users] ACL / http_access rules stop work using
>> Squid 6+
>>
>>
>>
>> On 2024-03-22 09:38, Andre Bolinhas wrote:
>>
>> > In previous versions of squid, from 3 to 5.9, I use this kind of deny
>> > rules and they work like charm
>> >
>> > acl AnnotateRule28 annotate_transaction accessrule=Rule28
>> > http_access deny HTTP Group38 AnnotateRule28
>> >
>> > This allows me to deny objects without bump / show the error page
>> > (deny_info)
>> >
>> > But using squid 6+ this rules stop to work and everything is allowed.
>> >
>> > Example:
>> > Squid 5.9 (OK)
>> > https://ibb.co/YdKgL1Y
>> >
>> > Squid 6.8 (NOK)
>> > https://ibb.co/tbyY2GV
>> >
>> > Sample of both cache.log in debug mode
>> >
>> > https://we.tl/t-T7Nz1rVbVu
>>
>>
>> In you v6 logs, most logged transactions are allowed because a rule
>> similar to the one reconstructed below is matching:
>>
>> http_access allow all AnnotateFinalAllow
>>
>>
>> There are similar cases in v5 logs as well, but most denied v5
>> transactions match the following rule instead (i.e. the one you shared
>> above):
>>
>> http_access deny HTTP Group38 AnnotateRule28
>>
>>
>> In your Squid configuration, v6 allow rule is listed much higher than v5
>> deny rule (#43 vs #149). I do not see any signs of Group38 or
>> AnnotateRule28 ACL evaluation in v6 logs, as if the rule sets are
>> different for two different Squid instances. Are you using the same set
>> of http_access rules for both Squid versions?
>>
>> Alex.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240401/fd88909f/attachment.htm>
More information about the squid-users
mailing list