[squid-users] R: [squid-users] R: Re: [squid-users] Squid: What is wrong in myacl????

From: Reale Marco <[email protected]>
Date: Thu, 16 Nov 2006 16:59:05 +0100

Hi Henrik

I solved my problem....it was related to the following acl:
acl bad_word_content_type url_regex -i sesso culo culi tette nudo nuda seno seni pene cazzo cazzi teen figa streaming tvgratis

However...In order to solve this problem I was forced to disable acl per acl because increasing debug_option didn't help me; thus I would like to ask you a tips related to the log handling (I think also it could be useful for stupid people like me....)

I'll briefly try to explain:
1) visiting www.comune.milano.it the user/credential pop-up was shown to me
I tried to increase debug_option but it didn't help me because log was confused

------------------cache.log---------------
2006/11/16 15:20:32| The request GET http://www.comune.milano.it/webcity/portale/homepage.nsf/wAll/DSEV-6UYCMU/$file/expo_banner.jpg is ALLOWED, because it matched 'DomainUsers'
2006/11/16 15:20:32| The request GET http://www.comune.milano.it/webcity/portale/homepage.nsf/wAll/DSEV-6TTJV2/$file/banner_vialomellina2.gif is ALLOWED, because it matched 'DomainUsers'
2006/11/16 15:20:32| The request GET http://www.comune.milano.it/webcity/portale/homepage.nsf/wAll/DSEV-6VKNZM/$file/banner_dirittiinfanzia.gif is DENIED, because it matched 'autorizzati'
2006/11/16 15:20:32| The reply for GET http://www.comune.milano.it/webcity/portale/homepage.nsf/wAll/DSEV-6VKNZM/$file/banner_dirittiinfanzia.gif is ALLOWED, because it matched 'autorizzati'
it matched 'all'
2006/11/16 15:20:32| The request GET http://www.comune.milano.it/webcity/portale/homepage.nsf/wAll/DSEV-6TDA43/$file/mozart.gif is ALLOWED, because it matched 'DomainUsers'
2006/11/16 15:20:32| The request GET http://www.comune.milano.it/home/images/head_bar.gif is ALLOWED, because it matched 'DomainUsers'
2006/11/16 15:20:32| The reply for GET http://www.comune.milano.it/home/images/head_bar.gif is ALLOWED, because it matched 'all'
2006/11/16 15:20:32| The request GET http://www.comune.milano.it/webcity/portale/homepage.nsf/wAll/DSEV-6VDMS9/$file/multe1.gif is DENIED, because it matched 'autorizzati'
2006/11/16 15:20:32| The reply for GET http://www.comune.milano.it/webcity/portale/homepage.nsf/wAll/DSEV-6VDMS9/$file/multe1.gif is ALLOWED, because it matched 'autorizzati'
......
------------------cache.log---------------

My squid.conf is:
acl bad_word_content_type url_regex -i sesso culo culi tette nudo nuda seno seni pene cazzo cazzi teen figa streaming tvgratis
acl porn dstdomain "c:/squid/block/pornblock.txt"
acl ftpblock url_regex -i \.exe$ \.mp3$ \.asx$ \.avi$ \.mpeg$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.aif$ .\wma$ .\wmv$

http_access deny Proxy_Internet_Ts !trustedsites
http_access allow enabled
http_access deny porn !Proxy_All_Open
deny_info ERR_PORN_ACCESS_DENIED porn
#http_access deny bad_word_content_type !Proxy_ftp_porn_block_yes !Proxy_All_Open (DISABLED TODAY)
deny_info ERR_PORN_ACCESS_DENIED bad_word_content_type
http_access deny msnmessenger !Proxy_Messengers_yes !Proxy_All_Open
http_access deny msnweb !Proxy_Messengers_yes !Proxy_All_Open
http_access deny msnit !Proxy_Messengers_yes !Proxy_All_Open
http_access deny BadDest !Proxy_Messengers_yes !Proxy_All_Open
http_access deny rs_deny !rs_allowed
http_access deny ftpblock !Proxy_ftp_porn_block_yes !Proxy_All_Open
http_access allow autorizzati DomainUsers
http_access deny all

Finally...the question is:
In my opinion the best and simply way to debug should be to append the name of acl in access.log as shown:

----------access.log----------
1163682256.166 125 172.16.100.95 TCP_MISS/302 370 GET http://www.comune.milano.it/ smmi\castols DIRECT/217.31.113.35 -
1163682256.885 0 172.16.100.95 TCP_DENIED/407 2012 GET http://www.comune.milano.it/webcity/portale/homepage.nsf/index.htm? - NONE/- text/html !!!ACLNAME!!!
----------access.log----------

Is it possible? I didn't find the way.

Thanks
Marco
Italy

-----Messaggio originale-----
Da: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Inviato: mercoled� 15 novembre 2006 22.26
A: Reale Marco
Cc: squid-users@squid-cache.org
Oggetto: Re: [squid-users] R: Re: [squid-users] Squid: What is wrong in myacl????

ons 2006-11-15 klockan 15:07 +0100 skrev Reale Marco:

> The problem is that sometimes (AND APPARENTLY WITHOUT REASON)
> authentication pop-up appears even though url currently I'm browsing
> is not wrote in pornsite.txt

Are you using NTLM authentication?

> 1) User open without problem url: www.somesite.com/homepage.aspx and while he is browsing, authentication popup appears.
> 2) I NOTICED THAT PRESSING CANCEL BUTTON, USER WAS ABLE TO CONTINUE BROWSING!!! Thus...I suspected that some object (a banner, a pop-up etc...) was blocked in fact....ENTERING MY CREDENTIALS (I'm in a group with full access) a pop-up with a banner was shown.

Could also be some embedded object in the page which was denied, such as an ad or similar.

> 3) THUS....AND FINALLY....ANALYZING LOG FILE I SAW entries like this:
> 172.16.100.136 TCP_DENIED/407 2181 GET http://secure-it.imrworldwide.com/cgi-bin/m?
> TCP_DENIED/407 2349 GET
> http://ad.it.doubleclick.net/adj/select.secondamano.it/homepage_rectan
> gle;sz=300x250;ord=1238394311? - NONE/- text/html
>
> http://ad.it.doubleclick.net/adj/select.secondamano.it/homepage_rectangle is the pop-up!!!

> This problem is driving me crazy and the only solution I founded is to disable "pornsite" acl even though It isn't a solution....

You could try the FAQ "I set up my access controls, but they don't work!
why?"
<url:http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-57ab8844e9060937c4a654e1aa7568f87cb25aef>

maybe it shows some light into the problem.

Regards
Henrik
Received on Thu Nov 16 2006 - 08:59:08 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:03 MST