[squid-users] acl which matches unresolvable domain?

From: Peter Warasin <peter_at_endian.com>
Date: Tue, 01 Feb 2011 12:26:40 +0100

Hi squids

Anyone ready for helping me? Have a quite funny problem.

I have a more or less complex configuration, so i cut it down to the
interesting part.

Basically it is a sandwich configuration
squid -> content filters -> squid
which normally is working well.

However, if you try to access an *inexistent* domain, squid is not
returning the appropriate ERR_DNS_FAIL message, but ERR_ACCESS_DENIED,
which of course is confusing users.

I narrowed the problem down by debugging squid and actually found the
problem.

Here is the interesting part of my configuration:

---------------------->8------------------------------------------------
acl from_all src 0.0.0.0/0.0.0.0
acl to_all dst 0.0.0.0/0.0.0.0

# http access to squid
http_access allow from_localhost
[...]
http_access allow from_all to_all within_timeframe_rule1
http_access deny from_all

(http_reply_access is similar and does not cause the access denied)
---------------------->8------------------------------------------------

I found out that my

http_access allow from_all to_all within_timeframe_rule1

is not matching in this case, because the domain resolving did not
return an ip address. so the request is still the domain name and squid
is comparing the domain name with 0/0, which will not match.

Ok, so i tried to solve by adding these rules:

acl to_alldomain dstdom_regex .*
http_access allow from_all within_timeframe_rule1 to_alldomain

This actually is working, but it seems quite an overhead to me.

Is there no better solution for this?
Something like an acl which matches not-resolved? Or something like a
value of "none" or "no-ip" for "dst"?

Anyone with a similar issue and a better solution?

Thanks in advance for suggestions

peter

-- 
:: e n d i a n
:: open source - open minds
:: peter warasin
:: http://www.endian.com   :: [email protected]
Received on Tue Feb 01 2011 - 11:26:53 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST