Re: [squid-users] external ACL check sporadically failing

From: Henrik Nordstrom <[email protected]>
Date: Wed, 16 Apr 2003 22:34:46 +0200

You did not include exacly what I requested in your cache.log, but by
chance you included just enough to show what is going on:

2003/04/16 08:20:48| aclMatchAcl: checking 'acl elnkips external
elnk_external'
2003/04/16 08:20:48| aclMatchExternal: elnk_external("166.140.23.235")
= lookup needed
[...]
2003/04/16 08:20:48| The reply for GET http://www.beazzs.com/ is
DENIED, because it matched 'all'
[note: "The REPLY for ..."]

This tells me your probelm is that you are using external acl lookups
in http_reply_access... Using external acl lookups or any other acl
types which may require a external lookup of some kind (i.e. DNS or
ident) is not reliable in Squid-2.5 as http_reply_access cannot wait
for the lookup to complete.

Change http_reply_access to the default

 http_reply_access allow all

and things should work significantly better in your case.
http_reply_access is mainly meant to be used with the rep_mime_type
acl.

This shortcoming of http_reply_access will be addressed in Squid-3. At
this time there is no plans on addressing this shortcoming of the
http_reply_access directive in Squid-2.5 as it only affects very few
installations (in your case the http_reply_access directive is not
even needed) and in most cases an acceptable level can be found
anyway by configuring to have false positives rather than false
negatives if the use of such acl types in http_reply_access is
required.

Regards
Henrik

On Wednesday 16 April 2003 17.43, Alex Tsalolikhin wrote:
> Dear Sir,
>
> Thanks! Attached is a bzip2 compressed tar ball containing
> the cache.log. Also access.log for this request, squid.conf
> (containing the ACL definitions) and the external ACL checkers.
>
> The "acl elnkips external elnk_external" is the external_acl
> that seems to occasional return negative without actually querying
> the ACL helper app.
>
> Please let me know if there is any other data I can provide.
>
> Best regards,
> -at
>
> On Wed, Apr 16, 2003 at 05:05:12PM +0200, Henrik Nordstrom wrote:
> > Please send me a full (but compressed) cache.log debug output
> > showing the whole request, from accepting the request down to
> > sending the denial error message and I will try to look closer
> > into what the problem may be.
> >
> > Regards
> > Henrik
> >
> > tis 2003-04-15 klockan 19.52 skrev Alex Tsalolikhin:
> > > Hi,
> > >
> > > I've installed the two external_acl patches for 2.5STABLE2;
> > > still getting false negatives:
> > >
> > > Tue Apr 15 10:37:15 2003 223 0.0.0.1 TCP_DENIED/403 1461 GET
> > > ...
> > >
> > > 2003/04/15 10:37:15| aclMatchIp: '0.0.0.1' found
> > > 2003/04/15 10:37:15| aclMatchAclList: returning 1
> > > 2003/04/15 10:37:15| aclCheckFast: list: 1c12f0
> > > 2003/04/15 10:37:15| aclMatchAclList: checking our_ips
> > > 2003/04/15 10:37:15| aclMatchAcl: checking 'acl our_ips
> > > external our_external' 2003/04/15 10:37:15| aclMatchExternal:
> > > elnk_external("0.0.0.1") = lookup needed 2003/04/15 10:37:15|
> > > aclMatchAclList: returning 0
> > >
> > > No reply=OK or reply=ERR logged. The IP does _not_ appear in
> > > the ACL checker log, so looks like ACL checker was not queried.
> > >
> > > Truly,
> > > Alex
> >
> > --
> > Free Squid-users support provided by Henrik Nordstr�m
> > <hno@squid-cache.org> Donations welcome if you consider my Free
> > Squid support helpful.
> > https://www.paypal.com/xclick/business=hno%40squid-cache.org
> >
> > If you need commercial Squid support or cost effective Squid and
> > firewall appliances please refer to MARA Systems AB, Sweden
> > http://www.marasystems.com/, [email protected]
Received on Wed Apr 16 2003 - 14:34:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:01 MST