On 03.04.2012 12:02, Will Roberts wrote:
> Hi,
>
> I'm trying to log the name of the ACL that allowed/denied access for
> a particular request. I have a patch that seems to work fine on all
> my
> machines except one. On that one machine it'll work fine for several
> hours, but then begins logging other garbage; sometimes parts of
> URLs,
> other times it's just random bytes. I think my patch is correct and
> this machine has a problem, but I'd appreciate it if someone could
> take a look.
>
> My real goal is to associate a username with requests that are
> allowed based on a whitelisted IP. I had originally done this using
> an
> external acl helper, but found that it was too slow and would cause
> connections to randomly fail. So instead I now generate a .conf file
> that is included with my main squid config which looks like this:
>
> acl foo src 10.3.4.0/24
> acl foo src 10.4.5.0/24
> http_access allow foo
At this point 'foo=true" allowed it.
>
> acl bar src 120.3.4.0/24
> acl bar src 120.4.5.0/24
> http_access allow bar
At this point the ACL "foo=false and bar=true" allowed it.
Implicit default rule: http_access deny all
At this point the ACL "foo=false and bar=false and src-IP" denied it.
>
> hence why I'm then trying to log the name of the ACL that allowed the
> connection. If there's a different way of doing that I'm open to
> suggestions.
>
> Here's the patch, I allowed the ACL to be accessible via its own
> token or to replace the user one if the user is null.
What you are logging is the last ACL tested. In the case of default
rules, they do not get tested as matches, so the deny line there above
will deny with ACL name "bar".
The whole config file line being matched would be better thing to log
if you can find it.
PS. Patches to squid-dev please so they can be audited.
Amos
Received on Tue Apr 03 2012 - 00:41:13 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT