Re: [squid-users] whitelisted IP problem

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 20 Mar 2012 11:20:56 +0200

On 20/03/2012 07:53, Vijay wrote:
> 2012/03/20 10:14:23.889| aclCheckFast: list: 0x175c860
> 2012/03/20 10:14:23.889| ACLChecklist::preCheck: 0xbfccd8b4 checking
> 'ident_lookup_access deny all'
> 2012/03/20 10:14:23.889| ACLList::matches: checking all
> 2012/03/20 10:14:23.889| ACL::checklistMatches: checking 'all'
> 2012/03/20 10:14:23.889| aclIpAddrNetworkCompare: compare:
> 122.166.1.184:48347/[::] ([::]:48347) vs [::]-[::]/[::]
> 2012/03/20 10:14:23.890| aclIpMatchIp: '122.166.1.184:48347' found
> 2012/03/20 10:14:23.890| ACL::ChecklistMatches: result for 'all' is 1
> 2012/03/20 10:14:23.890| ACLList::matches: result is true
> 2012/03/20 10:14:23.890| aclmatchAclList: 0xbfccd8b4 returning true (AND
> list satisfied)
> 2012/03/20 10:14:23.890| ACLChecklist::markFinished: 0xbfccd8b4 checklist
> processing finished
> 2012/03/20 10:14:23.890| FilledChecklist.cc(168) ~ACLFilledChecklist:
> ACLFilledChecklist destroyed 0xbfccd8b4
> 2012/03/20 10:14:23.890| ACLChecklist::~ACLChecklist: destroyed 0xbfccd8b4

i'm trying again to understand and if your htt_access wasnt changed thi
line here is the beginning of the aclchek for the client.
starts with manager = 127.0.0.1
> 2012/03/20 10:14:23.890| ACLChecklist::preCheck: 0x19f0128 checking
> 'http_access allow manager localhost server'
> 2012/03/20 10:14:23.890| ACLList::matches: checking manager
> 2012/03/20 10:14:23.890| ACL::checklistMatches: checking 'manager'
> 2012/03/20 10:14:23.890| ACL::ChecklistMatches: result for 'manager' is 0
> 2012/03/20 10:14:23.890| ACLList::matches: result is false
conclusion not from 127.0.0.1 means other ip and moving to the next
htt_access rule to check if there is allow to accomplish there.
> 2012/03/20 10:14:23.890| aclmatchAclList: 0x19f0128 returning false (AND
> list entry failed to match)
> 2012/03/20 10:14:23.890| aclmatchAclList: async=0 nodeMatched=0
> async_in_progress=0 lastACLResult() = 0 finished() = 0
starting the dont allow manager rule
> 2012/03/20 10:14:23.890| ACLChecklist::preCheck: 0x19f0128 checking
> 'http_access deny manager'
> 2012/03/20 10:14:23.890| ACLList::matches: checking manager
> 2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'manager'
> 2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'manager' is 0
> 2012/03/20 10:14:23.891| ACLList::matches: result is false
it's not mangaer so moving on to the next rule.
> 2012/03/20 10:14:23.891| aclmatchAclList: 0x19f0128 returning false (AND
> list entry failed to match)
> 2012/03/20 10:14:23.891| aclmatchAclList: async=0 nodeMatched=0
> async_in_progress=0 lastACLResult() = 0 finished() = 0
moving to the next wich means dont allow to any of ports other then the
list of safe "443,80 etc.."
> 2012/03/20 10:14:23.891| ACLChecklist::preCheck: 0x19f0128 checking
> 'http_access deny !Safe_ports'
> 2012/03/20 10:14:23.891| ACLList::matches: checking !Safe_ports
> 2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'Safe_ports'
> 2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'Safe_ports' is 1
> 2012/03/20 10:14:23.891| ACLList::matches: result is false
it's not matching not dafe ports cause it's port 80
> 2012/03/20 10:14:23.891| aclmatchAclList: 0x19f0128 returning false (AND
> list entry failed to match)
> 2012/03/20 10:14:23.891| aclmatchAclList: async=0 nodeMatched=0
> async_in_progress=0 lastACLResult() = 0 finished() = 0
the next rule will be trying the CONNECT method on not SSL ports (443).
> 2012/03/20 10:14:23.891| ACLChecklist::preCheck: 0x19f0128 checking
> 'http_access deny CONNECT !SSL_ports'
> 2012/03/20 10:14:23.891| ACLList::matches: checking CONNECT
> 2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'CONNECT'
> 2012/03/20 10:14:23.891| ACL::ChecklistMatches: result for 'CONNECT' is 1
> 2012/03/20 10:14:23.891| ACLList::matches: result is true
and you <<< do try to use ssl>>> (why?)
squid client wont use connect... ssl.. means i suppose you are using
wrong code to get the site content.

> 2012/03/20 10:14:23.891| ACLList::matches: checking !SSL_ports
> 2012/03/20 10:14:23.891| ACL::checklistMatches: checking 'SSL_ports'
> 2012/03/20 10:14:23.892| ACL::ChecklistMatches: result for 'SSL_ports' is 0
> 2012/03/20 10:14:23.892| ACLList::matches: result is true
conclusion ..you are trying to use CONNECT to not SSL port so...
> 2012/03/20 10:14:23.892| aclmatchAclList: 0x19f0128 returning true (AND list
> satisfied)
squid finding you answering the http_access acl and will deny the connection
means you didn't add the acl's and http_access rule i sent you.

look at what i sent you and try again after.

Regards,
Eliezer
> 2012/03/20 10:14:23.892| ACLChecklist::markFinished: 0x19f0128 checklist
> processing finished
> 2012/03/20 10:14:23.892| ACLChecklist::check: 0x19f0128 match found, calling
> back with 0
> 2012/03/20 10:14:23.892| ACLFilledChecklist::checkCallback: 0x19f0128
> answer=0
> 2012/03/20 10:14:23.892| ACLChecklist::checkCallback: 0x19f0128 answer=0
> 2012/03/20 10:14:23.892| aclIsProxyAuth: called for SSL_ports
> 2012/03/20 10:14:23.892| ACL::FindByName 'SSL_ports'
> 2012/03/20 10:14:23.892| aclIsProxyAuth: returning 0
> 2012/03/20 10:14:23.892| Gadgets.cc(57) aclGetDenyInfoPage: got called for
> SSL_ports
> 2012/03/20 10:14:23.892| aclGetDenyInfoPage: no match
> 2012/03/20 10:14:23.892| FilledChecklist.cc(168) ~ACLFilledChecklist:
> ACLFilledChecklist destroyed 0x19f0128
> 2012/03/20 10:14:23.892| ACLChecklist::~ACLChecklist: destroyed 0x19f0128
> 2012/03/20 10:14:23.893| FilledChecklist.cc(168) ~ACLFilledChecklist:
> ACLFilledChecklist destroyed 0x19f0128
> 2012/03/20 10:14:23.893| ACLChecklist::~ACLChecklist: destroyed 0x19f0128
> 2012/03/20 10:14:23.893| ConnStateData::swanSong: FD 11
>
>
>
> Thanks& Regards
> Vijay

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
elilezer <at> ngtech.co.il
Received on Tue Mar 20 2012 - 09:21:10 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 12:00:04 MDT