ACL matches when it shouldn't

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ACL matches when it shouldn't

Vieri
Hi,

I have a url_regex ACL loaded with this file:

https://drive.google.com/file/d/1C5aZqPfMD3qlVP8zvm67c9ZnXUfz-cEW/view?usp=sharing

Then I have an access denial like so:

http_access deny bad_dst_urls

Problem is that I am not expecting to block, eg. https://www.google.com, but I am.
I know it's this ACL because if I remove the htttp_access deny line above, the browser can access  just fine.

I've been  looking around this file for possible matches  for google.com, but there shouldn't be.

Can anyone please let me know if there's a match, or how to enable debugging  to see which record in this ACL is actually triggering the denial?

I'm trying with:
debug_options rotate=1 ALL,1 85,2 88,2

Then I grep the log for bad_dst_urls and DENIED, but I can't seem to find a clear match.

Regards,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ACL matches when it shouldn't

Amos Jeffries
Administrator
On 30/09/20 2:27 am, Vieri wrote:

> Hi,
>
> I have a url_regex ACL loaded with this file:
>
> https://drive.google.com/file/d/1C5aZqPfMD3qlVP8zvm67c9ZnXUfz-cEW/view?usp=sharing
>
> Then I have an access denial like so:
>
> http_access deny bad_dst_urls
>
> Problem is that I am not expecting to block, eg. https://www.google.com, but I am.
> I know it's this ACL because if I remove the htttp_access deny line above, the browser can access  just fine.
>
> I've been  looking around this file for possible matches  for google.com, but there shouldn't be.

None of the file entries are anchored regex. So any one of them could match.


>
> Can anyone please let me know if there's a match, or how to enable debugging  to see which record in this ACL is actually triggering the denial?

To do that we will need to see the complete and exact URL which is being
blocked incorrectly.


NP: a large number of that files entries can be far more efficiently
blocked using the dstdomain ACL type. For example:

  acl blacklist dstdomain .appspot.com


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users