Amos,
Ah, I see. Squid 2.x wasn't checking for unreachable entries in the
splay tree, yes? And now 3.x is? Apparently my proxy hasn't been all
that secure for the last bit here now, haha... :-)
I went ahead and wrote a Python script that sanitizes the lists I use.
It runs through the file and removes all subdomains where a parent
domain is already present. I guess I'll have to add in a duplicate
checker as well, seeing as I don't know if/when that patch will hit the
3.1 (Ubuntu 12.04) branch.
Thanks for the clarification, Amos.
______________________________
Derek Simon
IT Support
d'Oliveira & Associates, P.C.
401-431-1990
On 8/29/2012 11:43 PM, Amos Jeffries wrote:
> On 30.08.2012 09:13, Derek Simon wrote:
>> Nichols,
>>
>> It appears that I need to preprocess the lists before handing them to
>> Squid, removing all subdomains were the parent domain is present.
>>
>> I don't see anything special about your configuration that would
>> somehow remedy this issue. Perhaps your lists are sanitized?
>>
>>
>> On 8/29/2012 7:37 AM, mrnicholsb wrote:
>>> Hello, I use squid 3.1 to block with acl, porn sites, malicious sites
>>> and ads.
>>>
>>> I can tell you the WARNING: you should remove basically means you have
>>> subdomains added to your list
>>> when you have somesite.something.com it leaves something.com accessable,
>>> you want to remove somesite.something.com and just let it block
>>> something.com to block the entire site, including subdomains, unless you
>>> are just wanting to block a sub but not the whole domain, then just
>>> ignore the error.
>
> Sub-domains only match when the wildcard syntax ('.' prefix) is used.
> These warnings and errors do not appear unless there are two overlapping
> ranges of possible match.
>
>
> The "WARNING" lines are okay, the list needs sanitizing to speed up the
> loading process, but Squid is able to drop the useless entries.
>
> The "ERROR" lines are not, the overlapping ranges are loaded in the
> wrong order from the input. You want to block *.example.com, but Squid
> loaded "www.example.com" or "example.com" earlier so it cannot add an
> overlapping wildcard for that domain (splay algorithm inserts it at a
> branch in the tree which will never be checked).
>
>
> In squid-3 we updated the cases to report properly which type of match
> was happening and error on that broken case where run-time behavioru is
> so very different from expected behaviour. But appear to have also added
> errors on the case where exact duplicates exist. Please try the patch at
> http://treenet.co.nz/projects/squid/patches/dstdomain_ACL_duplicates_mk1.patch,
> it should reduce them to warnings and drop them out of sight as well.
>
>
>>>
>>> btw, heres the syntax of how I do it on my squid 3.1 for addressing your
>>> bungled line error.
>>>
>>> acl blacklist dstdomain "/etc/squid3/squid-block.acl"
>>> acl ipblacklist dst "/etc/squid3/squid-ipblock.acl"
>>> acl zeusblacklist dstdomain "/etc/squid3/squid-block-zeus.acl"
>>>
>>> and then
>>>
>>> http_access deny zeusblacklist
>>> http_access deny blacklist
>>> http_access deny ipblacklist
>>>
>>> I hope this helps you solve your issues.
>>>
>>>
>>> fix nichols
>>>
>>> haxradio.com
>>>
>>> On 08/28/2012 02:53 PM, Derek Simon wrote:
>>>> Hi all,
>>>>
>>>> I am migrating a Squid 2.7 server to Squid 3.1.
>>>>
>>>> In 2.7 I was using the Shallalists without issue, after prefixing each
>>>> line with a period, as prescribed:
>>>> http://www.shallalist.de/faq.html#squid
>>>>
>>>> I would reference them in squid.conf as such:
>>>> acl SL_Adv dstdomain "adv/domains.squid"
>>>>
>>>> I more or less copied these ACL lines from the 2.7 conf to the 3.1 and
>>>> I get the following errors when reparsing:
>>>>
>>>> Processing: acl SL_Adv dstdomain
>>>> "/etc/squid3/lists/shallalist/adv/domains.squid"
>>>> WARNING: You should remove '.addesktop.com' from the ACL named 'SL_Adv'
>>>> WARNING: You should remove '.addesktop.com' from the ACL named 'SL_Adv'
>>>> ERROR: You should remove '.ads360.com' from the ACL named 'SL_Adv'
>>>> FATAL: Bungled squid.conf line 732: acl SL_Adv dstdomain
>>>> "/etc/squid3/lists/shallalist/adv/domains.squid"
>>>> Squid Cache (Version 3.1.19): Terminated abnormally.
>>>>
>>>> What gives? I used to get the warnings in 2.7, and I understand the
>>>> splay tree performance issue, but why is this now fatal behavior in
>>>> 3.1?
>>>>
>>>> Thanks,
>>>> ______________________________
>>>> Derek Simon
>>>> IT Support
>>>> d'Oliveira & Associates, P.C.
>>>> 401-431-1990
>>>>
>>>>
>>>>
>>>>
>>>
>
Received on Thu Aug 30 2012 - 19:49:41 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 31 2012 - 12:00:06 MDT