[squid-users] Squid-2.4-STABLE7 http_access breaks when Netfilter REDIRECT turned on/off/on from per jarevez on 2003-06-16 (squid-users)

From: per jarevez <perj8@dont-contact.us>
Date: Mon, 16 Jun 2003 21:59:39 +0000

My http_access rules starts to allow all disregarding the other ACL's on the
http_access rule (see below) after I start then stop then start using
Netfilter REDIRECT again.

The http_access is flawless when I'm using Netfilter REDIRECT when Squid is
loaded. I stop using Netfilter REDIRECT for half a day then go back to
using Netfilter REDIRECT. Then problem with http_access shows up.

The "http_access allow myAllow all" would allow things in "myDeny" even when
when I "squid -k reconfigure" with a changed MyAllow that contain one
url_regex that surely doesn't match any actual requests from my browser on
10.1.0.100. However requests from my browser that match the url_regex in
myDeny would still be accepted by Squid!

Is this a bug in Squid's --enable-linux-netfilter code? Or something with
my configuration? "squid -k parse" gives no errors. Help.

kernel-2.4.21-rc6 Netfilter-1.2.8 Squid-2.4-STABLE7
./configure --enable-gnuregex --enable-removal
-policies=heap --enable-async-io --enable-useragent-log --enable-delay-pools
--enable-icmp --enable-referer-log --disable-wccp --enable-linux-netfilter
--disable-ident-lookups --enable-underscores

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl intranet src 10.0.0.0/255.0.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl myAllow url_regex -i "/home/daemon/squid/myAllow.txt"
acl myDeny url_regex -i "/home/daemon/squid/myDeny.txt"

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow myAllow all <---- becomes "http_access allow all" after
Netfilter REDIRECT is switched back on.
http_access deny myDeny all
http_access allow localhost
http_access allow intranet
# And finally deny all other access to this proxy
http_access deny all

myDeny.txt contains things like
advertising\.com
/ads/
/ads\.
webtrendslive\.com

myAllow.txt conatins things like
hotmail
messenger\.msn\.com

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail
Received on Mon Jun 16 2003 - 15:59:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:23 MST