Re: [squid-users] acl which matches unresolvable domain?

From: Pandu Poluan <pandu_at_poluan.info>
Date: Tue, 1 Feb 2011 19:35:37 +0700

On Tue, Feb 1, 2011 at 18:26, Peter Warasin <peter_at_endian.com> wrote:
> Hi squids
>
> Anyone ready for helping me? Have a quite funny problem.
>
> I have a more or less complex configuration, so i cut it down to the
> interesting part.
>
> Basically it is a sandwich configuration
> squid -> content filters -> squid
> which normally is working well.
>
> However, if you try to access an *inexistent* domain, squid is not
> returning the appropriate ERR_DNS_FAIL message, but ERR_ACCESS_DENIED,
> which of course is confusing users.
>
> I narrowed the problem down by debugging squid and actually found the
> problem.
>
> Here is the interesting part of my configuration:
>
> ---------------------->8------------------------------------------------
> acl from_all                src 0.0.0.0/0.0.0.0
> acl to_all                  dst 0.0.0.0/0.0.0.0
>
> # http access to squid
> http_access allow   from_localhost
> [...]
> http_access allow from_all to_all within_timeframe_rule1
> http_access deny    from_all
>
> (http_reply_access is similar and does not cause the access denied)
> ---------------------->8------------------------------------------------
>
> I found out that my
>
> http_access allow from_all to_all within_timeframe_rule1
>
> is not matching in this case, because the domain resolving did not
> return an ip address. so the request is still the domain name and squid
> is comparing the domain name with 0/0, which will not match.
>
> Ok, so i tried to solve by adding these rules:
>
> acl to_alldomain                  dstdom_regex .*
> http_access allow from_all within_timeframe_rule1 to_alldomain
>
>
> This actually is working, but it seems quite an overhead to me.
>
> Is there no better solution for this?
> Something like an acl which matches not-resolved? Or something like a
> value of "none" or "no-ip" for "dst"?
>
> Anyone with a similar issue and a better solution?
>

Any reason for "from_all to_all"?

Why not just:

http_access allow within_timeframe_rule1

>
> Thanks in advance for suggestions
>
>
> peter
>
> --
> :: e n d i a n
> :: open source - open minds
>
> :: peter warasin
> :: http://www.endian.com   :: peter@endian.com
>

--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Received on Tue Feb 01 2011 - 12:35:46 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST