Re: [squid-users] Why doesn't REQUEST_HEADER_ACCESS work properly with aclnames? from Amos Jeffries on 2011-04-20 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 21 Apr 2011 00:26:01 +1200

On 19/04/11 17:53, Jenny Lee wrote:
>
>
>
>> To: squid-users_at_squid-cache.org
>> Date: Tue, 19 Apr 2011 14:36:31 +1200
>> From: squid3_at_treenet.co.nz
>> Subject: RE: [squid-users] Why doesn't REQUEST_HEADER_ACCESS work properly with aclnames?
>>
>> On Mon, 18 Apr 2011 19:15:53 +0000, Jenny Lee wrote:
>>>>> What is the definition of OFFICE ?
>>>>> request_header_access are fast ACL which will not wait for
>>>> unavailable
>>>>> details to be fetched.
>>>>
>>>> Ah! proxy_auth :)
>>>>
>>>> Jenny
>>>
>>>
>>> acl OFFICE src 2.2.2.2
>>>
>>> request_header_access User-Agent allow OFFICE
>>> request_header_access User-Agent deny all
>>> header_replace User-Agent BOGUS AGENT
>>>
>>>
>>> This works as expected when going direct.
>>>
>>> However, if there is a cache_peer, still the UA is replaced.
>>> Cache_peer logs show connection is coming with the replaced UA
>>> (cache_peer does not modify UA in its config).
>>>
>>> I must be missing something.
>>
>> Header mangling is done before forwarding. Regardless of where it is
>> forwarded to. So there is no peer information available at that time.
>>
>> Also, "src" matches the website IP address(es). The public website IPs
>> will not change because you have a cache_peer configured.
>>
>> Amos
>
> Hello Amos,
>
> You handle 500 users here alone. Must be a tiring day. I am matching my IP with "src".

So it was, topping of the month so far. :(

>
> Regardless, it doesn't work as expected when there is a peer forwarding.
>

With a slightly clearer head :) the idea I was working off was that
OFFICE / "src" will have the same result whether it is going down a peer
or direct.

Reality after looking at the code:
Mangling is done after peer selection right at the last milli-second
before sending the headers down the wire. It is done on all HTTP
requests including CONNECT tunnels when they are relayed.

Peering info *is* available. But "src" ACL does not check for that
property.

If you have 3.1 I think you want to add a "peername" ACL like so:

  acl peerX peername X
  request_header_access User-Agent allow OFFICE !peerX
  ...

Oh and "header_replace" is now "request_header_replace" in 3.1.12 or later.

> Is there any debug options I must use and watch out for?

There is not "must" involved, but if you want to want them...

debug_options 11,6

The relevant line starts with "httpSendRequest: FD" followed by the full
HTTP request headers passed on.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Wed Apr 20 2011 - 12:26:06 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 20 2011 - 12:00:03 MDT