RE: [squid-users] How to deny unmatched/unspecified domains insquid 2.6 under reverse proxy mode?

From: Henrik Nordstrom <[email protected]>
Date: Wed, 18 Oct 2006 11:07:32 +0200

tis 2006-10-17 klockan 23:18 -0400 skrev Nguyen, Khanh, INFOT:

> I took a trace into the code to see why I did not get an error page,
> the problem appears to be the leftover parent that does not have
> domain association, 192.168.2.2. The logic in the code returns a match
> for peer that does not have domain association (in peerAllowedToUse
> function of neighbors.c) And that is how the parent selection results
> a match.

Yes, as I said all peers is by default candidates for use unless limited
by cache_peer_access/domain. So if you have a peer without any
restrictions then it's a candidate for any request, including those
where you have other peers with defined restrictions.

> I could enforce the squid.conf to remove parents that are not in-use,
> or change the logic of peer selection to always return no match for
> domain that does not parent (initilizing the do_ping to zero instead
> of zero) Perhaps there is a reason for the current logic or it is
> simply an undesired side-effect of something else?

Changing the code is easy. Just remove the following two lines from
peerAllowedToUse

    if (p->peer_domain == NULL && p->access == NULL)
        return do_ping;

or change the initialization of do_ping to 0 as you have already found.

But having this by default isn't in line with the general reasoning of
the directives so it won't be made in the standard distribution.

Regards
Henrik

Received on Wed Oct 18 2006 - 03:07:44 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST