Re: [squid-users] Time based ACLs not affecting all traffic

On 08.02.2012 05:00, Stephen McGuinness wrote:
> I am trying to force the users behind my proxy to be forced into a
> human interaction based ACL at a certain time every night. I have it
> working
> pretty well, but there is still traffic that is not getting filtered
> by that ACL.
>
> From what I can figure out so far, if connections are active before
> the time ACL kicks in,

Hold up. Idea Correction:

1) ACL do not "kick in", they are simple trilean true/false/dunno
states. Like Schroedingers cat, they may be any one of those states at
any time, but unless they are checked you can't tell. *_access is where
those checks happen...

2) *_access lines do "kick in" at certain pre-defined points in the
transaction *process*. Completely unrelated to timing or other
dimensions.

These two properties are at the core of the time and quota "problems".

... to be continued ...

> some are forced to the ACL that requires
> human interaction, but not for all content. It seems that traffic
> making it through has a mime type of application/javascript or
> application/json, or no specified mime-type at all. It could be
> something else, but from what I can get out of the logs, that's all i
> can figure.

Time ACL only checks the Squid machine clock against the value in
squid.conf. Traffic types etc are not relevant.

This sounds like you have some other ACL matching mime types, query
strings, path regex, or similar and permitting them before the time is
checked.
Hard to tell without seeing your full access control config.

>
> Sadly there so much traffic going though the proxy, I can't turn on
> the debug
> logging to see which ACL might be letting them through, but the
> requests are
> showing in the logs, which makes me think it's going through the
> ACLs.

Worst case you can toggle debug on very briefly for a already running
Squid (ie some few hundred ms) using the "squid -k debug" command twice
in a row. cache.log will fill with the trace between when the on/off
signals were received.

>
> Does anyone know how to reset all the connections without having to
> restart the service, or something else more drastic like messing with
> the system firewall via a script?

It is not supported at this time in Squid.

I have one project looking for a sponsor or developer to do it though,
hint, hint.

Amos
Received on Tue Feb 07 2012 - 23:10:08 MST