Re: [squid-users] acl which matches unresolvable domain?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 02 Feb 2011 01:56:37 +1300

On 02/02/11 00:26, Peter Warasin wrote:
> Hi squids
>
> Anyone ready for helping me? Have a quite funny problem.
>
> I have a more or less complex configuration, so i cut it down to the
> interesting part.
>
> Basically it is a sandwich configuration
> squid -> content filters -> squid
> which normally is working well.
>
> However, if you try to access an *inexistent* domain, squid is not
> returning the appropriate ERR_DNS_FAIL message, but ERR_ACCESS_DENIED,
> which of course is confusing users.
>
> I narrowed the problem down by debugging squid and actually found the
> problem.
>
> Here is the interesting part of my configuration:
>
> ---------------------->8------------------------------------------------
> acl from_all src 0.0.0.0/0.0.0.0
> acl to_all dst 0.0.0.0/0.0.0.0
>
> # http access to squid
> http_access allow from_localhost
> [...]
> http_access allow from_all to_all within_timeframe_rule1
> http_access deny from_all
>
> (http_reply_access is similar and does not cause the access denied)
> ---------------------->8------------------------------------------------
>
> I found out that my
>
> http_access allow from_all to_all within_timeframe_rule1
>
> is not matching in this case, because the domain resolving did not
> return an ip address. so the request is still the domain name and squid
> is comparing the domain name with 0/0, which will not match.

What version of Squid is this? The dst ACL has been long fixed not to
use strings at all but to test the numeric values and return fail on
unresolvables without any comparisons happening.

>
> Ok, so i tried to solve by adding these rules:
>
> acl to_alldomain dstdom_regex .*
> http_access allow from_all within_timeframe_rule1 to_alldomain
>
>
> This actually is working, but it seems quite an overhead to me.

Yes it does seem overly complex. Lets look at the parts...

  * from_all ... if the request comes from a machine with an IPv4
address (0.0.0.0 'self' included).

Since the only way to reach Squid is via IP transport...
  In all Squid older than 3.1 this equates to "true".
  In 3.1 the ACL should be defined "src ipv4" and thinking of it as
"all" the network is wrong.

  * to_alldomain ... if true. every request will match this so you will
get the same behaviour by removing it entirely.

>
> Is there no better solution for this?
> Something like an acl which matches not-resolved? Or something like a
> value of "none" or "no-ip" for "dst"?
>
> Anyone with a similar issue and a better solution?
>

The ! operator.

As to_all matches a set of domains so !to_all will match the others.

The big question begging to be answered is why you have the horribly
redundant line in the first place?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Tue Feb 01 2011 - 12:56:42 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST