ACL in custom error page

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ACL in custom error page

Eduardo Carneiro
Hello everyone!

Is there any way to display, in my custom error pages, the acl that denied
access?


Eduardo Carneiro



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL in custom error page

Amos Jeffries
Administrator
On 14/03/18 05:46, Eduardo Carneiro wrote:
> Hello everyone!
>
> Is there any way to display, in my custom error pages, the acl that denied
> access?

Two things:

 1) There is no single ACL that denied Access. There is always an entire
sequence of checks.

2) The error page template code has not yet been updated to support
generic logformat codes which do have a code for the last ACL that was
tested (note that this may have been the one which _allowed logging_).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL in custom error page

Alex Rousskov
On 03/13/2018 06:08 PM, Amos Jeffries wrote:

> On 14/03/18 05:46, Eduardo Carneiro wrote:
>> Hello everyone!
>>
>> Is there any way to display, in my custom error pages, the acl that denied
>> access?
>
> Two things:
>
>  1) There is no single ACL that denied Access. There is always an entire
> sequence of checks.
>
> 2) The error page template code has not yet been updated to support
> generic logformat codes which do have a code for the last ACL that was
> tested (note that this may have been the one which _allowed logging_).

And two more:

3) We are working to support major logformat %codes in error pages. The
patches are going through internal review cycles right now.

4) In modern Squids, the best way to log access denial (and similar)
decisions is often via ACL-triggered annotations (rather than the old
"the last ACL touched by somebody" hack). See annotate_transaction in
squid.conf.documented. The corresponding %note logformat code should be
available in error page templates as the result of (3).


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL in custom error page

Eliezer Croitoru
And another one:
5) If you are using a deny_info configuration for a specific acl and you are redirecting to a url instead of squid inernal error page you can add some query term that will be used as a marker to the acl.

Example of usage:
acl blacklist-acl dstdomain block-test.org
deny_info http://<SOME SERVER NAME OR IP>/block_page/?url=%u&domain=%H&acl= blacklist-acl blacklist-acl

acl localnet src 192.168.0.0/16

http_access deny ! blacklist-acl
http_access allow localnet

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Alex Rousskov
Sent: Wednesday, March 14, 2018 04:33
To: [hidden email]
Subject: Re: [squid-users] ACL in custom error page

On 03/13/2018 06:08 PM, Amos Jeffries wrote:

> On 14/03/18 05:46, Eduardo Carneiro wrote:
>> Hello everyone!
>>
>> Is there any way to display, in my custom error pages, the acl that denied
>> access?
>
> Two things:
>
>  1) There is no single ACL that denied Access. There is always an entire
> sequence of checks.
>
> 2) The error page template code has not yet been updated to support
> generic logformat codes which do have a code for the last ACL that was
> tested (note that this may have been the one which _allowed logging_).

And two more:

3) We are working to support major logformat %codes in error pages. The
patches are going through internal review cycles right now.

4) In modern Squids, the best way to log access denial (and similar)
decisions is often via ACL-triggered annotations (rather than the old
"the last ACL touched by somebody" hack). See annotate_transaction in
squid.conf.documented. The corresponding %note logformat code should be
available in error page templates as the result of (3).


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users