On Sun, 11 Oct 2009 13:36:24 +0100, Gavin McCullagh
<gavin.mccullagh_at_gcd.ie>
wrote:
> Hi,
>
> just a further question on this.
>
> On Sun, 11 Oct 2009, Amos Jeffries wrote:
>
>>> acl accommclients_old src 10.2.0.0/16
>>> acl accommclients src 172.17.0.0/20
>>> acl studentclients src 172.18.0.0/16
>>> acl studentwificlients src 172.19.0.0/23
>>> acl summerschoolclients src 172.19.4.0/24
>
>>> delay_access 1 allow accommclients accommclients_old studentclients
>>> studentwificlients
>>
>> See
>> http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes
>>
>> The YOU/ME example mistake is exactly the one you have made above.
>
> I feel pretty stupid falling on such a bog standard mistake and I'm
annoyed
> at myself that it has been in place for some months now.
>
> It strikes me that, in this case, the mistake lead to an internally
> contradictory (multiple times over!!) config. It couldn't possibly have
> been correct. Would it be practical for squid to give a warning in this
> instance?
>
> I'm not saying squid should necessarily molly-coddle its users, but if it
> weren't difficult to do perhaps it would lead to a greater degree of
people
> spotting their own mistakes early (before they use it for months thinking
> it's working or give up confused or ask the mailing list). Compilers,
for
> example, do a certain amount of this kind of thing which often prevents
> bugs in code.
>
> Just looking at the FAQ page it might be nice to warn on:
>
> - An _access combination of ACLs which cannot match anything (eg colour
is
> black and colour is white)
> - An _access which comes after one which is more general than it (eg
allow
> all red colours; deny pink)
> - Possibly suggest use of src instead of srcdomain (though this is
> probably
> not wrong in some instances)
>
> though there are probably others.
>
> Perhaps this has been suggested before or perhaps there are good reasons
> not to do it? Perhaps it's already there and I haven't spotted it?
>
> Gavin
The only reason its not done so far is that none has been bothered to make
Squid barf on such things. It doesn't help that some people want Squid to
run silently on defaults despite admin screwed configs. So squid needs to
barf loudly and keep going anyway with some workaround action.
I'm slowly making Squid-3 validate and complain about bad config. Any help
welcome, either coding or pointers at things like this that could be
checked.
The bad ones that are still present are mostly comparisons of separate but
linked settings (the access line ME/YOU problems is a perfect example)
There is a third-party validator that will scan ACL and access lines for
this type of mistake. (Sorry I've misplaced my reference link for that.)
Amos
Received on Sun Oct 11 2009 - 23:09:13 MDT
This archive was generated by hypermail 2.2.0 : Mon Oct 12 2009 - 12:00:03 MDT