[squid-users] External ACL allowing denied sites

From: Luiz Henrique Ozaki <luiz.ozaki@dont-contact.us>
Date: Wed, 5 Jul 2006 07:55:44 -0300

Hi,

Im using a home-made modification of dnsbl_redir for external_acl_type
instead of redirector.

In squid.conf:
external_acl_type dnsbl ttl=60 children=4 %DST %SRC %IDENT %METHOD
/usr/local/bin/dnsbl_redir
acl policy external dnsbl
http_access allow rede10 policy

Here goes the cache.log:
2006/07/05 07:04:05| aclMatchAcl: checking 'acl rede10 src 10.0.0.0/255.0.0.0'
2006/07/05 07:04:05| aclMatchIp: '10.9.0.10' found
2006/07/05 07:04:05| aclMatchAclList: checking policy
2006/07/05 07:04:05| aclMatchAcl: checking 'acl policy external dnsbl'
2006/07/05 07:04:05| aclMatchExternal: acl="dnsbl"
2006/07/05 07:04:05| external_acl_cache_lookup: 'www.brookeburn.com
10.9.0.10 - GET' = expired
2006/07/05 07:04:05| aclMatchExternal: dnsbl("www.brookeburn.com
10.9.0.10 - GET") = lookup needed
2006/07/05 07:04:05| aclMatchAclList: no match, returning 0
2006/07/05 07:04:05| externalAclLookup: lookup in 'dnsbl' for
'www.brookeburn.com 10.9.0.10 - GET'
2006/07/05 07:04:05| cbdataLock: 0x1b815ee8
2006/07/05 07:04:05| cbdataLock: 0xae278e8
2006/07/05 07:04:05| cbdataLock: 0x17ebe158
2006/07/05 07:04:05| cbdataValid: 0x17ebe158
2006/07/05 07:04:05| comm_write: FD 9: sz 35: hndl (nil): data (nil).
2006/07/05 07:04:05| commSetSelect: FD 9 type
2006/07/05 07:04:05| helperDispatch: Request sent to dnsbl #1, 35 bytes
2006/07/05 07:04:05| helperSubmit: www.brookeburn.com 10.9.0.10 - GET

2006/07/05 07:04:05| external_acl_cache_add: Adding
'www.brookeburn.com 10.9.0.10 - GET' = -1
2006/07/05 07:04:05| external_acl_cache_add: updating existing entry
2006/07/05 07:04:05| cbdataUnlock: 0xae278e8
2006/07/05 07:04:05| comm_close: FD 36
2006/07/05 07:04:05| cbdataFree: 0x842e918
2006/07/05 07:04:05| cbdataFree: 0x842e918 has 2 locks, not freeing
2006/07/05 07:04:05| cbdataUnlock: 0x842e918
2006/07/05 07:04:05| fd_close FD 36 ident
2006/07/05 07:04:05| cbdataUnlock: 0x842e918
2006/07/05 07:04:05| cbdataUnlock: Freeing 0x842e918
2006/07/05 07:04:05| comm_poll: 1+0 FDs ready
2006/07/05 07:04:05| comm_poll: FD 9 ready for writing
2006/07/05 07:04:05| commHandleWrite: FD 9: off 0, sz 35.
2006/07/05 07:04:05| commHandleWrite: write() returns 35
2006/07/05 07:04:05| comm_poll: 1+0 FDs ready
2006/07/05 07:04:05| comm_poll: FD 9 ready for reading
2006/07/05 07:04:05| cbdataValid: 0x823aa18
2006/07/05 07:04:05| helperHandleRead: 3 bytes from dnsbl #1.
2006/07/05 07:04:05| commSetSelect: FD 9 type 1
2006/07/05 07:04:05| helperHandleRead: end of reply found
2006/07/05 07:04:05| cbdataValid: 0x17ebe158
2006/07/05 07:04:05| externalAclHandleReply: reply="OK"
2006/07/05 07:04:05| cbdataValid: 0x1b815ee8
2006/07/05 07:04:05| external_acl_cache_add: Adding
'www.brookeburn.com 10.9.0.10 - GET' = 1
2006/07/05 07:04:05| external_acl_cache_add: updating existing entry
2006/07/05 07:04:05| cbdataUnlock: 0x1b815ee8
2006/07/05 07:04:05| cbdataValid: 0xae278e8
2006/07/05 07:04:05| cbdataLock: 0x103951a0
2006/07/05 07:04:05| cbdataValid: 0x821fde0
2006/07/05 07:04:05| aclCheck: checking 'http_access allow rede10 policy'
2006/07/05 07:04:05| aclMatchAclList: checking rede10
2006/07/05 07:04:05| aclMatchAcl: checking 'acl rede10 src 10.0.0.0/255.0.0.0'
2006/07/05 07:04:05| aclMatchIp: '10.9.0.10' found
2006/07/05 07:04:05| aclMatchAclList: checking policy
2006/07/05 07:04:05| aclMatchAcl: checking 'acl policy external dnsbl'
2006/07/05 07:04:05| aclMatchExternal: acl="dnsbl"
2006/07/05 07:04:05| cbdataValid: 0x103951a0
2006/07/05 07:04:05| cbdataUnlock: 0x103951a0
2006/07/05 07:04:05| aclMatchExternal: dnsbl = 1
2006/07/05 07:04:05| aclMatchAclList: returning 1
2006/07/05 07:04:05| aclCheck: match found, returning 1
2006/07/05 07:04:05| cbdataUnlock: 0x821fde0
2006/07/05 07:04:05| aclCheckCallback: answer=1
2006/07/05 07:04:05| cbdataValid: 0xcd0c160
2006/07/05 07:04:05| The request GET http://www.brookeburn.com/ is
ALLOWED, because it matched 'policy'

Resuming, externalAclHandleReply: reply="OK". But when i do:
echo "www.brookeburn.com 10.9.0.10 - GET" | /usr/local/bin/dnsbl_redir
ERR

This site should be denied... What it should be ??
It was working but now started allowing denied sites... uptime is 5
days, i think restarting the server or squid should resolve the
problem... But id like to know what it would be causing this issue.

Regards,

-- 
[]'s
Luiz Henrique Ozaki
Received on Wed Jul 05 2006 - 04:55:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT