RE: Squid 2.2.STABLE2 and ACLs

From: Tim Burgess <t.burgess@dont-contact.us>
Date: Wed, 5 May 1999 02:13:59 +1000

We have a pornography etc blocking set of ACLs and we get a similar list of
errors when we start. But it still works - so who cares?

Sure, the errors may be misleading - but squid still runs and the ACLs work.

Cheers,

Tim

> Though I suspect the (apparent) problem was there before, but is only now
> reported, I just tried Squid 2.2.STABLE2 and was disconcerted by the
> following reports at startup:
>
> 1999/05/04 13:21:19| WARNING: jpet.aspetjournals.org is a subdomain of
> intl-jpet.aspetjournals.org
> 1999/05/04 13:21:19| WARNING: This may break Splay tree searching
> 1999/05/04 13:21:19| WARNING: You should remove
> 'intl-jpet.aspetjournals.org' from the ACL named 'other-direct'
> 1999/05/04 13:21:19| WARNING: molpharm.aspetjournals.org is a
> subdomain of
> intl-molpharm.aspetjournals.org
> 1999/05/04 13:21:19| WARNING: This may break Splay tree searching
> 1999/05/04 13:21:19| WARNING: You should remove
> 'intl-molpharm.aspetjournals.org' from the ACL named 'other-direct'
> 1999/05/04 13:21:19| WARNING: dmd.aspetjournals.org is a subdomain of
> intl-dmd.aspetjournals.org
> 1999/05/04 13:21:19| WARNING: This may break Splay tree searching
> 1999/05/04 13:21:19| WARNING: You should remove
> 'intl-dmd.aspetjournals.org'
> from the ACL named 'other-direct'
>
> The other-direct ACL is used with always_direct to force access to those
> e-journal sites (among others) to go direct rather than via
> parent caches,
> which would get denied by access controls - defined as
>
> acl other-direct dstdomain "/opt/squid/current/etc/always-direct.conf"
> always_direct allow other-direct
>
> As worded, the warning messages are either wrong or misleading/confusing.
>
> Is the reality that
>
> (a) this is a newly introduced bug, that simply needs to be fixed, or
>
> (b) something Squid cannot handle, and there's no way to match that pair
> of hosts except by listing the domain instead, which in our case could
> result in higher network usage charges for no reason other than a
> shortcoming in Squid, or
>
> (c) something Squid cannot handle in the obvious way, but
> hostname matching
> is trailing substring match rather than exact match (yuk, if so!), so
> that listing just the shorter version would also match the longer (but
> potentially also random other names that happen to end with the same
> substring, potentially incurring network charges that should be
> avoided), or
>
> (d) An incorrect diagnostic, so that listing both hosts of each pair will
> work just fine, and the warnings should be ignored.
>
> I hope the answer will be (a) or (d), but am rather worried it
> will be (b)
> or (c).
>
> If it's either (b) or (c), I think there needs to be clearer
> documentation
> of how matching works, as well as making clear that overlapping names are
> not allowed - there's no hint of either issue in the comments in
> the sample
> config file, which is the nearest thing to current documentation
> for Squid,
> except for those few aspects that get more detailed coverage in
> the FAQ etc.
> [A previous problem had resulted in me being told that you can't list
> entries for both a hostname and its parent domain, otherwise I'd
> have been
> more surprised and confusd by the warning messages...]
>
> Also - is this new with Squid 2.2, or is the problem there (but not
> reported) in earlier Squid 2 versions?
>
> John Line
> --
> University of Cambridge WWW manager account (usually John Line)
> Send general WWW-related enquiries to webmaster@ucs.cam.ac.uk
>
>
Received on Tue May 04 1999 - 10:09:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:13 MST