Re: [squid-users] Unable to block CONNECT

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Tue, 17 Jul 2001 09:15:22 +1000 (EST)

Hi,

Everything looks like it should work. Can you set debug_options to 28,9
and send the debug out from cache.log. I have essentially the same setup
as you do and when I try

        telnet localhost 3128
        CONNECT somehost:80 HTTP/1.0

        [note the extra newline here]

I get:

2001/07/17 08:49:34| aclCheckFast: list: 0x81c75d0
2001/07/17 08:49:34| aclMatchAclList: checking all
2001/07/17 08:49:34| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2001/07/17 08:49:34| aclMatchIp: '127.0.0.1' found
2001/07/17 08:49:34| aclMatchAclList: returning 1
2001/07/17 08:49:45| aclCheck: checking 'http_access allow manager localhost'
2001/07/17 08:49:45| aclMatchAclList: checking manager
2001/07/17 08:49:45| aclMatchAcl: checking 'acl manager proto cache_object'
2001/07/17 08:49:45| aclMatchAclList: returning 0
2001/07/17 08:49:45| aclCheck: checking 'http_access deny manager'
2001/07/17 08:49:45| aclMatchAclList: checking manager
2001/07/17 08:49:45| aclMatchAcl: checking 'acl manager proto cache_object'
2001/07/17 08:49:45| aclMatchAclList: returning 0
2001/07/17 08:49:45| aclCheck: checking 'http_access deny !Safe_ports'
2001/07/17 08:49:45| aclMatchAclList: checking !Safe_ports
2001/07/17 08:49:45| aclMatchAcl: checking 'acl Safe_ports port 80 81 21 443 563 70 210 1025-65535'
2001/07/17 08:49:45| aclMatchAclList: returning 0
2001/07/17 08:49:45| aclCheck: checking 'http_access deny CONNECT !SSL_ports'
2001/07/17 08:49:45| aclMatchAclList: checking CONNECT
2001/07/17 08:49:45| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2001/07/17 08:49:45| aclMatchAclList: checking !SSL_ports
2001/07/17 08:49:45| aclMatchAcl: checking 'acl SSL_ports port 443 563 8082'
2001/07/17 08:49:45| aclMatchAclList: returning 1
2001/07/17 08:49:45| aclCheck: match found, returning 0
2001/07/17 08:49:45| aclCheckCallback: answer=0

which clearly shows "http_access deny CONNECT !SSL_ports" doing its job.

Colin
Received on Mon Jul 16 2001 - 17:15:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:08 MST