Re: [squid-users] external ACL check sporadically failing

On Wed, Apr 16, 2003 at 10:34:46PM +0200, Henrik Nordstrom wrote:
> You did not include exacly what I requested in your cache.log, but by
> chance you included just enough to show what is going on:
>
> 2003/04/16 08:20:48| aclMatchAcl: checking 'acl elnkips external
> elnk_external'
> 2003/04/16 08:20:48| aclMatchExternal: elnk_external("166.140.23.235")
> = lookup needed
> [...]
> 2003/04/16 08:20:48| The reply for GET http://www.beazzs.com/ is
> DENIED, because it matched 'all'
> [note: "The REPLY for ..."]
>
> This tells me your probelm is that you are using external acl lookups
> in http_reply_access... Using external acl lookups or any other acl
> types which may require a external lookup of some kind (i.e. DNS or
> ident) is not reliable in Squid-2.5 as http_reply_access cannot wait
> for the lookup to complete.
>
> Change http_reply_access to the default
>
> http_reply_access allow all
>
> and things should work significantly better in your case.
> http_reply_access is mainly meant to be used with the rep_mime_type
> acl.

Hi,

  Thanks, changing http_reply_access to the default

    http_reply_access allow all

reduced false negatives about 10x!

  WRT the remaining false negatives, logs of the external ACL checker
show it was not queried about the client ip addresses that were denied.

  Here are two cache.log excerpts (if I missed anything please let me know
what and I'll be glad to add it):

2003/04/21 06:49:21| clientAccessCheck: proxy request denied in accel_only mode
2003/04/21 06:49:21| The request GET http://mobile.msn.com/pocketpc/home.asp is DENIED, because it matched 'all'
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 0
2003/04/21 06:49:21| aclCheckFast: no matches, returning: 1
2003/04/21 06:49:21| aclCheckFast: list: 1c13e0
2003/04/21 06:49:21| aclMatchAclList: checking all
2003/04/21 06:49:21| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/04/21 06:49:21| aclMatchIp: '166.149.54.92' found
2003/04/21 06:49:21| aclMatchAclList: returning 1
2003/04/21 06:49:21| aclCheckFast: list: 1c12f0
2003/04/21 06:49:21| aclMatchAclList: checking all
2003/04/21 06:49:21| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/04/21 06:49:21| aclMatchIp: '166.149.54.92' found
2003/04/21 06:49:21| aclMatchAclList: returning 1
2003/04/21 06:49:21| The reply for GET http://mobile.msn.com/pocketpc/home.asp is ALLOWED, because it matched 'all'

2003/04/21 06:57:45| clientAccessCheck: proxy request denied in accel_only mode
2003/04/21 06:57:45| The request GET http://mapquest.com/ is DENIED, because it matched 'all'
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 0
2003/04/21 06:57:45| aclCheckFast: no matches, returning: 1
2003/04/21 06:57:45| aclCheckFast: list: 1c13e0
2003/04/21 06:57:45| aclMatchAclList: checking all
2003/04/21 06:57:45| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/04/21 06:57:45| aclMatchIp: '166.142.17.173' found
2003/04/21 06:57:45| aclMatchAclList: returning 1
2003/04/21 06:57:45| aclCheckFast: list: 1c12f0
2003/04/21 06:57:45| aclMatchAclList: checking all
2003/04/21 06:57:45| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2003/04/21 06:57:45| aclMatchIp: '166.142.17.173' found
2003/04/21 06:57:45| aclMatchAclList: returning 1
2003/04/21 06:57:45| The reply for GET http://mapquest.com/ is ALLOWED, because it matched 'all'
2003/04/21 06:57:45| clientReadRequest: FD 11: no data to process ((11) Resource temporarily unavailable)

What accounts for these remaining false negatives, please?

Best regards,
Alex.
Received on Mon Apr 21 2003 - 11:04:33 MDT