Re: [squid-users] X-Forwarded-For and cache_peer_access from Michael Graham on 2013-07-16 (squid-users)

From: Michael Graham <mgraham_at_bloxx.com>
Date: Tue, 16 Jul 2013 09:31:31 -0400

On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote:
> Does the X-Forwarded-For header actually contain an IP from the
> 172.21.120.0/24 subnet (and not some IPv6 address from that subnets
> IPv6 ranges).

Yeah it seems to be:

GET http://www.google.com/ HTTP/1.1
Accept: */*
Host: www.google.com
User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7
OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Via: 1.1 cake-icap (squid/3.3.6)
X-Forwarded-For: 172.21.120.23
Cache-Control: max-age=259200
Connection: keep-alive

> Also, re-check this after fixing the follow_x_forwarded_for trust
> ACLs. That may be affecting the results.

I've went back to the original lines:

acl localsrc src 127.0.0.1
follow_x_forwarded_for allow localsrc

Here is the output from debug_options ALL,1 17,9 28,9 when I make a
request:

2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches:
checking forwardTrafficSubnet1
2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches:
ACL::checklistMatches: checking 'forwardTrafficSubnet1'
2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
172.21.120.23/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (172.21.120.0)
vs 172.21.120.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp:
'172.21.120.23' found
2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches:
ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1
2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1
matched.
2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1
result is true
2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8
matched=1 async=0 finished=0
2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8
success: all ACLs matched
2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8
answer DENIED for first matching rule won
2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking:
ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED

I don't know why is says that the rule matched but that it is returning
DENIED.

Cheers,

-- 
Michael Graham <mgraham_at_bloxx.com>

Received on Tue Jul 16 2013 - 13:31:53 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 17 2013 - 12:00:19 MDT