Hmm.. what is your positive_dns_ttl setting? (default is 6 hours)
The fact that you get ERR_FORWARDING_DENIED suggests you are using
miss_access.. any specific reason to this? miss_access is a little picky
about what types of acl's you use and is not particulary fond of dst or
other acl's that may require external lookups..
miss_access is only supposed to be used when you have cache peers that
is only allowed to use you as a sibling and not as a parent, so it is
kind of assumed that only src ACL types will be used in miss_access. All
your proxy clients should be given miss_access.
miss_access is not a knob one normally uses for controlling access to
the proxy, thats the job of http_access.
Regards
Henrik Nordström
Squid Hacker
Shilov Ilya wrote:
> HN> That ACL lookup is deferred, waiting for a DNS lookup to complete. If
> HN> you look a little further down you will find the same aclMatchAcl call
> HN> again, this time continuing.
>
> I see such aclMatchAcl call slightly up, and lookup was successful.
>
> 2001/12/05 17:38:57| aclCheck: checking 'http_access allow dst_free_extra'
> 2001/12/05 17:38:57| aclMatchAclList: checking dst_free_extra
> 2001/12/05 17:38:57| aclMatchAcl: checking 'acl dst_free_extra dst "/chroot/squid/etc/acls/dst_free_extra"'
> 2001/12/05 17:38:57| aclMatchIp: '217.14.192.22' found
> 2001/12/05 17:38:57| aclMatchAclList: returning 1
> 2001/12/05 17:38:57| aclCheck: match found, returning 1
> [skip]
> 2001/12/05 17:38:58| aclMatchAclList: checking dst_free_extra
> 2001/12/05 17:38:58| aclMatchAcl: checking 'acl dst_free_extra dst "/chroot/squid/etc/acls/dst_free_extra"'
> 2001/12/05 17:38:58| aclMatchAcl: Can't yet compare 'dst_free_extra' ACL for 'mail.izh.com'
> 2001/12/05 17:38:58| aclMatchAclList: returning 0
> 2001/12/05 17:38:58| aclMatchAclList: checking dst_free_extra
> 2001/12/05 17:38:58| aclMatchAcl: checking 'acl dst_free_extra dst "/chroot/squid/etc/acls/dst_free_extra"'
> 2001/12/05 17:38:58| aclMatchIp: '255.255.255.255' NOT found
> 2001/12/05 17:38:58| aclMatchAclList: returning 0
>
> Full log of this query can also be posted.
>
> And as result I got "ERR_FORWARDING_DENIED" page...
> When I check manually I see TARGET_IP must be in dst_free_extra ACL!!!
> But it is "NOT found".
> That is the problem...
>
> Squid is configured with no --disable_internal_dns option.
> Than linked statically.
> And started in chrooted environment (/chroot/squid/bin/squid -f /chroot/squid/etc/squid.conf -D).
>
> Thanks.
Received on Fri Dec 07 2001 - 16:36:26 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:16 MST