[squid-users] is this an acl bug ? from Chris Brain on 2003-03-23 (squid-users)

From: Chris Brain <chris.brain@dont-contact.us>
Date: Mon, 24 Mar 2003 11:23:02 +0800

Hi all,
I am running 2.5 Stable 1 and having a problem with the debug_info
attached to an acl.
What is happening is that if a user fails the proxy_auth (we are using ncsa
but it happens with other auth schemes as well)
the deny_info that is displayed is wrong. (But the acl actions work
correctly).
I am not seeing this with my 2.6 stable 6 units.

This is the acl's and access rules:

acl no_download urlpath_regex -i \.exe$ \.zip$ \.scr$ \.pif$ \.bat$ \.hqz$
\.bin$ \.sit$ \.dmg$ \.hqx$ \.gz$
deny_info ERR_NO_DOWNLOAD no_download
acl streaming_users proxy_auth bill
acl no_bigbrother url_regex -i http://www.bigbrother.iprimus.com.au
deny_info ERR_STREAMING_MEDIA no_bigbrother
acl download_bypass url_regex -i \reuters
deny_info ERR_NO_DOWNLOAD download_bypass
acl no_streaming urlpath_regex -i \.asf$ \.ram$ \.asx$ \.mov$ \.avi$ \.mpg$
\.mpeg$ \.wmf$ \.qt$ \.mp3$ \.wmv$ \.rm$
deny_info ERR_STREAMING_MEDIA no_streaming
acl trusted_users proxy_auth bill
acl password proxy_auth REQUIRED
deny_info ERR_CACHE_ACCESS_DENIED password

never_direct allow all

http_access deny !streaming_users no_streaming
http_access deny no_download !trusted_users !download_bypass
http_access deny !big_brother_hosts no_bigbrother
http_access allow password
http_access deny all

Looking at the debug I do not see why it is matching but it does say that it
is. I had

2003/03/21 15:29:20| aclCheck: checking 'http_access deny !streaming_users
no_streaming'
2003/03/21 15:29:20| aclMatchAclList: checking !streaming_users
2003/03/21 15:29:20| aclMatchAcl: checking 'acl streaming_users proxy_auth
bill'
2003/03/21 15:29:20| authenticateAuthenticate: header Basic aGhoaDo=.
2003/03/21 15:29:20| authenticateAuthenticate: This is a new checklist test
on FD:54
2003/03/21 15:29:20| authenticateAuthenticate: no connection authentication
type
2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
'0x84aa028'.
2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
'0x84aa028' now at '1'.
2003/03/21 15:29:20| authenticateDecodeAuth: header = 'Basic aGhoaDo='
2003/03/21 15:29:20| authenticateBasicDecodeAuth: cleartext = 'hhhh:'
2003/03/21 15:29:20| authenticateBasicDecodeAuth: Disallowing empty
password,user is 'hhhh'
2003/03/21 15:29:20| authBasicDecodeAuth: Creating new user for logging
'hhhh'
2003/03/21 15:29:20| authenticateAuthUserLock auth_user '0x841bbb0'.
2003/03/21 15:29:20| authenticateAuthUserLock auth_user '0x841bbb0' now at
'1'.
2003/03/21 15:29:20| authenticateValidateUser: Validating Auth_user request
'0x84aa028'.
2003/03/21 15:29:20| authenticateValidateUser: Auth_user '0x841bbb0' is
broken for it's scheme.
2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
'0x84aa028'.
2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
'0x84aa028' now at '2'.
2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user request
'0x84aa028'.
2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user_request
'0x84aa028' now at '1'.
2003/03/21 15:29:20| aclMatchAcl: returning 0 sending authentication
challenge.
2003/03/21 15:29:20| aclMatchAclList: checking no_streaming
2003/03/21 15:29:20| aclMatchAcl: checking 'acl no_streaming urlpath_regex
-i \.asf$ \.ram$ \.asx$ \.mov$ \.avi$ \.
mpg$ \.mpeg$ \.wmf$ \.qt$ \.mp3$ \.wmv$ \.rm$'
2003/03/21 15:29:20| aclMatchRegex: checking '/'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.asf$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.ram$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.asx$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.mov$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.avi$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.mpg$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.mpeg$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.wmf$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.qt$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.mp3$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.wmv$'
2003/03/21 15:29:20| aclMatchRegex: looking for '\.rm$'
2003/03/21 15:29:20| aclMatchAclList: returning 0
2003/03/21 15:29:20| aclCheck: requiring Proxy Auth header.
2003/03/21 15:29:20| aclCheck: match found, returning 2
2003/03/21 15:29:20| aclCheckCallback: answer=2
2003/03/21 15:29:20| The request GET http://www.google.com./ is DENIED,
because it matched 'no_streaming'
2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
'0x84aa028'.
2003/03/21 15:29:20| authenticateAuthUserRequestLock auth_user request
'0x84aa028' now at '2'.
2003/03/21 15:29:20| authenticateFixHeader: headertype:34 authuser:0x84aa028
2003/03/21 15:29:20| authenticateValidateUser: Validating Auth_user request
'0x84aa028'.
2003/03/21 15:29:20| authenticateValidateUser: Auth_user '0x841bbb0' is
broken for it's scheme.
2003/03/21 15:29:20| authenticateFixErrorHeader: Sending type:34 header:
'Basic realm="Proxy Logo
n"'
2003/03/21 15:29:20| authenticateFixHeader: headertype:34 authuser:0x84aa028
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: (nil)
2003/03/21 15:29:20| aclCheckFast: no matches, returning: 1
2003/03/21 15:29:20| aclCheckFast: list: 0x87376c0
2003/03/21 15:29:20| aclMatchAclList: checking all
2003/03/21 15:29:20| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/03/21 15:29:20| aclMatchIp: '192.168.1.7' found
2003/03/21 15:29:20| aclMatchAclList: returning 1
2003/03/21 15:29:20| aclCheckFast: list: 0x86d71e0
2003/03/21 15:29:20| aclMatchAclList: checking all
2003/03/21 15:29:20| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/03/21 15:29:20| aclMatchIp: '192.168.1.7' found
2003/03/21 15:29:20| aclMatchAclList: returning 1
2003/03/21 15:29:20| The reply for GET http://www.google.com./ is ALLOWED,
because it matched 'all'
2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user request
'0x84aa028'.
2003/03/21 15:29:20| authenticateAuthUserRequestUnlock auth_user_request
'0x84aa028' now at '1'.
2003/03/21 15:29:21| authenticateAuthUserRequestUnlock auth_user request
'0x84aa028'.
2003/03/21 15:29:21| authenticateAuthUserRequestUnlock auth_user_request
'0x84aa028' now at '0'.
2003/03/21 15:29:21| authenticateAuthUserRequestFree: freeing request
0x84aa028
2003/03/21 15:29:21| authenticateAuthUserUnlock auth_user '0x841bbb0'.
2003/03/21 15:29:21| authenticateAuthUserUnlock auth_user '0x841bbb0' now at
'0'.
2003/03/21 15:29:21| authenticateFreeProxyAuthUser: Freeing auth_user
'0x841bbb0' with refcount '0'.
2003/03/21 15:29:21| authenticateBasicFreeUser: Clearing Basic scheme data

Any help would be appreciated.

cheers

> Chris Brain
> System Support Officer
>
> West Australian Newspapers
> 50 Hasler Road Osborne park
> e-mail: chris.brain@wanews.com.au
> Phone: 08 9 482 3386
> Fax: 08 9 482 3747
>
>
Received on Sun Mar 23 2003 - 20:23:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:19 MST