> On 08/10/10 03:26, Philipp Herz - Profihost AG wrote:
>> Hello everybody,
>>
>> actually i'm trying to migrate a Squid/SquidGuard setup from Squid
>> (3.0.STABLE19) to Squid (3.1.3).
>>
>> The problem is, that i am not able to exclude a single client identified
>> by it's ip or mac address from being proccessed by SquidGuard as the
>> redirector.
>>
>> acl my_net src 192.168.0.0/16
>> acl c_by_IP src 192.168.0.99
>> acl c_by_MAC arp aa:bb:cc:dd:ee:ff
>>
>> http_access allow my_net
>> http_access deny all
>>
>> redirector_access deny c_by_IP
>> redirector_access deny c_by_MAC
>>
>> # url_rewrite_access deny c_by_IP
>> # url_rewrite_access deny c_by_MAC
>>
>> url_rewrite_program /usr/bin/squidGuard
>> url_rewrite_children 5
>>
>> None of the attempts above are working for Squid (3.1.3). Using
>> directive "redirector_access deny" with Squid (3.0.STABLE19) works as
>> expected.
>>
>> So, could you please give me any hints on how to get this thing working
>> or is there any known bug or limitation why it's not working with 3.1.3?
>>
>> Thanks - philipp
>
> Nothing comes to mind. IP should be working even if ARP fails.
>
> NP: "url_rewrite_access" is the correct config out of those attempts and
> is identical in meaning for all Squid since redirector_access was
> deprecated by 2.5.
>
> Firstly check the order of url_rewrite_access lines (*all of them*).
> First match wins.
>
> Then try tracing the access control tests in cache.log with:
> debug_options 28,3 61,5
>
> If that does not show the problem up try with the latest Squid-3.1 code.
>
>
> Amos
Hi Amos,
thanks for your information. I have tested it again with "debug_options"
set. From the output it seems to me, that there must be something
absolutely wrong with the IP/MAC based ACL.
As i understand cache.log shows that client is identified by it's
ip-address, then checked against "http_access" and granted by "my_NET"
match. When it comes to "checking url_rewrite_access" aclIpMatchIp does
not know the IP anymore - therefore comparison fails - no match.
And Yes, I have double checked the ip-address of my client and the ACL.
So if you have any ideas/suggestions what to check, i would appreciate it.
Thanks again - philipp
here the complete snippet from cache.log:
2010/10/08 08:47:39.260| ACLChecklist::preCheck: 0x8fede08 checking
'http_access allow my_NET'
2010/10/08 08:47:39.260| ACLList::matches: checking my_NET
2010/10/08 08:47:39.260| ACL::checklistMatches: checking 'my_NET'
2010/10/08 08:47:39.260| aclIpMatchIp: '192.168.1.193:4587' found
2010/10/08 08:47:39.260| ACL::ChecklistMatches: result for 'my_NET' is 1
2010/10/08 08:47:39.260| aclmatchAclList: 0x8fede08 returning true (AND
list satisfied)
2010/10/08 08:47:39.260| ACLChecklist::markFinished: 0x8fede08 checklist
processing finished
2010/10/08 08:47:39.260| ACLChecklist::check: 0x8fede08 match found,
calling back with 1
2010/10/08 08:47:39.261| ACLChecklist::checkCallback: 0x8fede08 answer=1
2010/10/08 08:47:39.261| ACLChecklist::preCheck: 0x8fede08 checking
'adaptation_access service_req allow all'
2010/10/08 08:47:39.261| ACLList::matches: checking all
2010/10/08 08:47:39.261| ACL::checklistMatches: checking 'all'
2010/10/08 08:47:39.261| aclIpMatchIp: '192.168.1.193:4587' found
2010/10/08 08:47:39.261| ACL::ChecklistMatches: result for 'all' is 1
2010/10/08 08:47:39.261| aclmatchAclList: 0x8fede08 returning true (AND
list satisfied)
2010/10/08 08:47:39.261| ACLChecklist::markFinished: 0x8fede08 checklist
processing finished
2010/10/08 08:47:39.261| ACLChecklist::check: 0x8fede08 match found,
calling back with 1
2010/10/08 08:47:39.261| ACLChecklist::checkCallback: 0x8fede08 answer=1
2010/10/08 08:47:39.261| ACLChecklist::preCheck: 0x8fede08 checking
'url_rewrite_access deny c_by_IP'
2010/10/08 08:47:39.261| ACLList::matches: checking c_by_IP
2010/10/08 08:47:39.261| ACL::checklistMatches: checking 'c_by_IP'
2010/10/08 08:47:39.261| aclIpMatchIp: '[::]' NOT found
2010/10/08 08:47:39.261| ACL::ChecklistMatches: result for 'c_by_IP' is 0
2010/10/08 08:47:39.261| aclmatchAclList: 0x8fede08 returning false (AND
list entry failed to match)
2010/10/08 08:47:39.261| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2010/10/08 08:47:39.261| ACLChecklist::preCheck: 0x8fede08 checking
'url_rewrite_access deny c_by_MAC'
2010/10/08 08:47:39.261| ACLList::matches: checking c_by_MAC
2010/10/08 08:47:39.261| ACL::checklistMatches: checking 'c_by_MAC'
2010/10/08 08:47:39.261| aclMatchArp: [::] NOT found
2010/10/08 08:47:39.262| ACL::ChecklistMatches: result for 'c_by_MAC' is 0
2010/10/08 08:47:39.262| aclmatchAclList: 0x8fede08 returning false (AND
list entry failed to match)
2010/10/08 08:47:39.262| aclmatchAclList: async=0 nodeMatched=0
async_in_progress=0 lastACLResult() = 0 finished() = 0
2010/10/08 08:47:39.262| ACLChecklist::preCheck: 0x8fede08 checking
'url_rewrite_access allow all'
2010/10/08 08:47:39.262| ACLList::matches: checking all
2010/10/08 08:47:39.262| ACL::checklistMatches: checking 'all'
2010/10/08 08:47:39.262| aclIpMatchIp: '[::]' found
2010/10/08 08:47:39.262| ACL::ChecklistMatches: result for 'all' is 1
2010/10/08 08:47:39.262| aclmatchAclList: 0x8fede08 returning true (AND
list satisfied)
2010/10/08 08:47:39.262| ACLChecklist::markFinished: 0x8fede08 checklist
processing finished
2010/10/08 08:47:39.262| ACLChecklist::check: 0x8fede08 match found,
calling back with 1
2010/10/08 08:47:39.262| ACLChecklist::checkCallback: 0x8fede08 answer=1
2010/10/08 08:47:39.262| redirectStart: 'http://www.ard.de/'
Received on Fri Oct 08 2010 - 07:52:37 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 08 2010 - 12:00:03 MDT