Re: confused about always_direct

From: as web server manager <[email protected]>
Date: Mon, 22 Feb 1999 21:54:11 +0000 (GMT)

Duane Wessels wrote:
>
> Steve Reddel writes:
>
> >i am trying to configure squid 2.2pre2 (and all previous version of squid
> >2) to operate as i had squid 1.1 working with no success...
> >what i am trying to achieve is going to a parent cache for all requests
> >except 2 certain c-class address which should go directly.
> >
> >the lines i have in my configuration that apply here are as follows:
> >
> >---start----
> >cache_peer proxy.intercoast.com.au parent 8080 3130
> >
> >acl steve src 203.32.99.0/255.255.255.0
> >acl intercoast src 203.22.112.0/255.255.255.0
> >always_direct allow steve intercoast
> >---end---
>
> Its a common mistake. ACL names after the "allow" are AND'ed together.
> So, "steve AND intercoast" will never be true. Instead you want
>
> always_direct allow steve
> always_direct allow intercoast

I recently encountered what seemed to be either an odd variant of this
problem, or maybe a bug in Squid 2.1.PATCH2.

To match what I had with 1.NOVM.22, I had

acl local-domain dstdomain cam.ac.uk ac.uk ja.net
always_direct allow local-domain

i.e. three domains listed in the ACL definition, but only the single ACL named
on the always_direct line. The comment in the default squid.conf (the only
documentation for the ACL syntax?) says

# acl aclname dstdomain foo.com ... # Destination server from URL

implying that multiple domains can be specified (and on some other types of
ACL it certainly works), but I discovered (as a result of someone hitting
problems with an access-controlled site within ac.uk but not cam.ac.uk) that
it was not working - requests were being routed via our parent caches (which
weren't allowed access to the resource) and to get it working as intended I
had to split the ACL into three separate definitions, with three
corresponding always_direct lines.

Turning on debugging output showed that only the first listed domain was
being compared with target URLs, e.g.

1999/02/18 13:37:15| aclMatchAcl: checking 'acl local-domain dstdomain cam.ac.uk ac.uk ja.net'
1999/02/18 13:37:15| aclMatchDomainList: checking 'www.lib.cam.ac.uk'
1999/02/18 13:37:15| aclMatchDomainList: 'www.lib.cam.ac.uk' found

but

1999/02/18 13:37:21| aclMatchAcl: checking 'acl local-domain dstdomain cam.ac.uk ac.uk ja.net'
1999/02/18 13:37:21| aclMatchDomainList: checking 'www.jstor.ac.uk'
1999/02/18 13:37:21| aclMatchDomainList: 'www.jstor.ac.uk' NOT found

[It's a separate issue that the browser ideally shouldn't have been using
our cache for the ac.uk domain anyway... but the cache should have handled
it. Also historical accident that both cam.ac.uk and ac.uk were specified.]

So, is it:

(a) a Squid bug in handling a perfectly valid ACL that should have worked, or

(b) an invalid ACL (not rejected by Squid when loaded, though) and an error
    in squid.conf.default comment that implies it's valid syntax (and if so,
    are any of the other comments similarly misleading?), or

(c) something else, including "user error" on my part?

                                John Line

-- 
University of Cambridge WWW manager account (usually John Line)
Send general WWW-related enquiries to webmaster@ucs.cam.ac.uk
Received on Mon Feb 22 1999 - 14:42:40 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:39 MST