Re: [squid-users] acl which matches unresolvable domain?

From: Peter Warasin <peter_at_endian.com>
Date: Tue, 01 Feb 2011 16:01:52 +0100

Hi Amos

Thank you for your help
I removed the to_all from_all as suggested by pandu, it's working.

On 02/01/2011 01:56 PM, Amos Jeffries wrote:
>> is not matching in this case, because the domain resolving did not
>> return an ip address. so the request is still the domain name and squid
>> is comparing the domain name with 0/0, which will not match.
>
> What version of Squid is this? The dst ACL has been long fixed not to
> use strings at all but to test the numeric values and return fail on
> unresolvables without any comparisons happening.

version is 2.6, right now. (surely we will upgrade in future) good to
know that this changes.

>> Ok, so i tried to solve by adding these rules:
>> acl to_alldomain dstdom_regex .*
>> http_access allow from_all within_timeframe_rule1 to_alldomain
>> This actually is working, but it seems quite an overhead to me.
>
> Yes it does seem overly complex. Lets look at the parts...
>
> * from_all ... if the request comes from a machine with an IPv4 address
> (0.0.0.0 'self' included).
>
> Since the only way to reach Squid is via IP transport...
> In all Squid older than 3.1 this equates to "true".
> In 3.1 the ACL should be defined "src ipv4" and thinking of it as "all"
> the network is wrong.

thank you for this information. much appreciated for when we upgrade. we
have to change a lot i think.

> * to_alldomain ... if true. every request will match this so you will
> get the same behaviour by removing it entirely.

i did that now. it's working.

thank you!

peter

-- 
:: e n d i a n
:: open source - open minds
:: peter warasin
:: http://www.endian.com   :: peter@endian.com
Received on Tue Feb 01 2011 - 15:02:05 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST