How to use http_status acl?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use http_status acl?

Felipe Arturo Polanco
Hi,

I have been trying to match http_status acl in my squid.conf file but it has no effect.

My goal is to add a given header to specific HTTP return codes.

eg:
This works:
acl user1 src 192.168.0.6/32
reply_header_add Cache-Control "no-store" user1


This doesn't work:
acl 307_redirect http_status 307
reply_header_add Cache-Control "no-store" 307_redirect


Any ideas on what could I be missing here?

Thanks,

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Alex Rousskov
On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:

> I have been trying to match http_status acl in my squid.conf file but it
> has no effect.
>
> My goal is to add a given header to specific HTTP return codes.
>
> eg:
> This works:
> acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
> reply_header_add Cache-Control "no-store" user1
>
> This doesn't work:
> acl 307_redirect http_status 307
> reply_header_add Cache-Control "no-store" 307_redirect
>
> Any ideas on what could I be missing here?

Does that 307 response come from a server (including cache_peers) or is
it generated by Squid itself?

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Felipe Arturo Polanco
It comes from an Icap server but I tried 200 status code from the webserver directly and doesn't work either.

On Tue, Nov 5, 2019 at 4:43 PM Alex Rousskov <[hidden email]> wrote:
On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:

> I have been trying to match http_status acl in my squid.conf file but it
> has no effect.
>
> My goal is to add a given header to specific HTTP return codes.
>
> eg:
> This works:
> acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
> reply_header_add Cache-Control "no-store" user1
>
> This doesn't work:
> acl 307_redirect http_status 307
> reply_header_add Cache-Control "no-store" 307_redirect
>
> Any ideas on what could I be missing here?

Does that 307 response come from a server (including cache_peers) or is
it generated by Squid itself?

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Alex Rousskov
On 11/5/19 4:23 PM, Felipe Arturo Polanco wrote:
> I tried 200 status code from the
> webserver directly and doesn't work either.

Sounds like a Squid bug to me then. If you can reproduce with Squid v4
or later, please consider filing a bug report in Squid bugzilla. Quality
fixes welcomed.

Alex.


> On Tue, Nov 5, 2019 at 4:43 PM Alex Rousskov wrote:
>
>     On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:
>
>     > I have been trying to match http_status acl in my squid.conf file
>     but it
>     > has no effect.
>     >
>     > My goal is to add a given header to specific HTTP return codes.
>     >
>     > eg:
>     > This works:
>     > acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
>     <http://192.168.0.6/32>
>     > reply_header_add Cache-Control "no-store" user1
>     >
>     > This doesn't work:
>     > acl 307_redirect http_status 307
>     > reply_header_add Cache-Control "no-store" 307_redirect
>     >
>     > Any ideas on what could I be missing here?
>
>     Does that 307 response come from a server (including cache_peers) or is
>     it generated by Squid itself?
>
>     Alex.
>     _______________________________________________
>     squid-users mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Felipe Arturo Polanco
I have this warning in the logs:

WARNING: 307_redirect ACL is used in context without an HTTP response. Assuming mismatch.
Acl.cc(151) matches: checked: 307_redirect = 0

I also tested using rep_header ACL and that causes the same warning and defaulting to 0.

Do I need anything else to make reply access lists to work?

On Tue, Nov 5, 2019 at 6:01 PM Alex Rousskov <[hidden email]> wrote:
On 11/5/19 4:23 PM, Felipe Arturo Polanco wrote:
> I tried 200 status code from the
> webserver directly and doesn't work either.

Sounds like a Squid bug to me then. If you can reproduce with Squid v4
or later, please consider filing a bug report in Squid bugzilla. Quality
fixes welcomed.

Alex.


> On Tue, Nov 5, 2019 at 4:43 PM Alex Rousskov wrote:
>
>     On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:
>
>     > I have been trying to match http_status acl in my squid.conf file
>     but it
>     > has no effect.
>     >
>     > My goal is to add a given header to specific HTTP return codes.
>     >
>     > eg:
>     > This works:
>     > acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
>     <http://192.168.0.6/32>
>     > reply_header_add Cache-Control "no-store" user1
>     >
>     > This doesn't work:
>     > acl 307_redirect http_status 307
>     > reply_header_add Cache-Control "no-store" 307_redirect
>     >
>     > Any ideas on what could I be missing here?
>
>     Does that 307 response come from a server (including cache_peers) or is
>     it generated by Squid itself?
>
>     Alex.
>     _______________________________________________
>     squid-users mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     http://lists.squid-cache.org/listinfo/squid-users
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Alex Rousskov
On 11/6/19 8:49 AM, Felipe Arturo Polanco wrote:

> I have this warning in the logs:
>
> WARNING: 307_redirect ACL is used in context without an HTTP response.
> Assuming mismatch.
> Acl.cc(151) matches: checked: 307_redirect = 0
>
> I also tested using rep_header ACL and that causes the same warning and
> defaulting to 0.
>
> Do I need anything else to make reply access lists to work?

What is your Squid version?

Alex.


> On Tue, Nov 5, 2019 at 6:01 PM Alex Rousskov wrote:
>
>     On 11/5/19 4:23 PM, Felipe Arturo Polanco wrote:
>     > I tried 200 status code from the
>     > webserver directly and doesn't work either.
>
>     Sounds like a Squid bug to me then. If you can reproduce with Squid v4
>     or later, please consider filing a bug report in Squid bugzilla. Quality
>     fixes welcomed.
>
>     Alex.
>
>
>     > On Tue, Nov 5, 2019 at 4:43 PM Alex Rousskov wrote:
>     >
>     >     On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:
>     >
>     >     > I have been trying to match http_status acl in my squid.conf
>     file
>     >     but it
>     >     > has no effect.
>     >     >
>     >     > My goal is to add a given header to specific HTTP return codes.
>     >     >
>     >     > eg:
>     >     > This works:
>     >     > acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
>     <http://192.168.0.6/32>
>     >     <http://192.168.0.6/32>
>     >     > reply_header_add Cache-Control "no-store" user1
>     >     >
>     >     > This doesn't work:
>     >     > acl 307_redirect http_status 307
>     >     > reply_header_add Cache-Control "no-store" 307_redirect
>     >     >
>     >     > Any ideas on what could I be missing here?
>     >
>     >     Does that 307 response come from a server (including
>     cache_peers) or is
>     >     it generated by Squid itself?
>     >
>     >     Alex.
>     >     _______________________________________________
>     >     squid-users mailing list
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     http://lists.squid-cache.org/listinfo/squid-users
>     >
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Felipe Arturo Polanco

On Wed, Nov 6, 2019 at 12:47 PM Alex Rousskov <[hidden email]> wrote:
On 11/6/19 8:49 AM, Felipe Arturo Polanco wrote:
> I have this warning in the logs:
>
> WARNING: 307_redirect ACL is used in context without an HTTP response.
> Assuming mismatch.
> Acl.cc(151) matches: checked: 307_redirect = 0
>
> I also tested using rep_header ACL and that causes the same warning and
> defaulting to 0.
>
> Do I need anything else to make reply access lists to work?

What is your Squid version?

Alex.


> On Tue, Nov 5, 2019 at 6:01 PM Alex Rousskov wrote:
>
>     On 11/5/19 4:23 PM, Felipe Arturo Polanco wrote:
>     > I tried 200 status code from the
>     > webserver directly and doesn't work either.
>
>     Sounds like a Squid bug to me then. If you can reproduce with Squid v4
>     or later, please consider filing a bug report in Squid bugzilla. Quality
>     fixes welcomed.
>
>     Alex.
>
>
>     > On Tue, Nov 5, 2019 at 4:43 PM Alex Rousskov wrote:
>     >
>     >     On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:
>     >
>     >     > I have been trying to match http_status acl in my squid.conf
>     file
>     >     but it
>     >     > has no effect.
>     >     >
>     >     > My goal is to add a given header to specific HTTP return codes.
>     >     >
>     >     > eg:
>     >     > This works:
>     >     > acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
>     <http://192.168.0.6/32>
>     >     <http://192.168.0.6/32>
>     >     > reply_header_add Cache-Control "no-store" user1
>     >     >
>     >     > This doesn't work:
>     >     > acl 307_redirect http_status 307
>     >     > reply_header_add Cache-Control "no-store" 307_redirect
>     >     >
>     >     > Any ideas on what could I be missing here?
>     >
>     >     Does that 307 response come from a server (including
>     cache_peers) or is
>     >     it generated by Squid itself?
>     >
>     >     Alex.
>     >     _______________________________________________
>     >     squid-users mailing list
>     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     http://lists.squid-cache.org/listinfo/squid-users
>     >
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Alex Rousskov
On 11/6/19 1:03 PM, Felipe Arturo Polanco wrote:
> 4.7 from this branch:
> https://github.com/measurement-factory/squid/tree/SQUID-323-WebSocket-support  

It looks like you are hitting a bug that has not been fixed yet:
reply_header_add/httpHdrAdd() does not supply essential transaction info
to ACL checks. There has been significant progress in fixing similar
bugs recently, but this one was somehow missed AFAICT.

Alex.


> On Wed, Nov 6, 2019 at 12:47 PM Alex Rousskov wrote:
>
>     On 11/6/19 8:49 AM, Felipe Arturo Polanco wrote:
>     > I have this warning in the logs:
>     >
>     > WARNING: 307_redirect ACL is used in context without an HTTP response.
>     > Assuming mismatch.
>     > Acl.cc(151) matches: checked: 307_redirect = 0
>     >
>     > I also tested using rep_header ACL and that causes the same
>     warning and
>     > defaulting to 0.
>     >
>     > Do I need anything else to make reply access lists to work?
>
>     What is your Squid version?
>
>     Alex.
>
>
>     > On Tue, Nov 5, 2019 at 6:01 PM Alex Rousskov wrote:
>     >
>     >     On 11/5/19 4:23 PM, Felipe Arturo Polanco wrote:
>     >     > I tried 200 status code from the
>     >     > webserver directly and doesn't work either.
>     >
>     >     Sounds like a Squid bug to me then. If you can reproduce with
>     Squid v4
>     >     or later, please consider filing a bug report in Squid
>     bugzilla. Quality
>     >     fixes welcomed.
>     >
>     >     Alex.
>     >
>     >
>     >     > On Tue, Nov 5, 2019 at 4:43 PM Alex Rousskov wrote:
>     >     >
>     >     >     On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:
>     >     >
>     >     >     > I have been trying to match http_status acl in my
>     squid.conf
>     >     file
>     >     >     but it
>     >     >     > has no effect.
>     >     >     >
>     >     >     > My goal is to add a given header to specific HTTP
>     return codes.
>     >     >     >
>     >     >     > eg:
>     >     >     > This works:
>     >     >     > acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
>     <http://192.168.0.6/32>
>     >     <http://192.168.0.6/32>
>     >     >     <http://192.168.0.6/32>
>     >     >     > reply_header_add Cache-Control "no-store" user1
>     >     >     >
>     >     >     > This doesn't work:
>     >     >     > acl 307_redirect http_status 307
>     >     >     > reply_header_add Cache-Control "no-store" 307_redirect
>     >     >     >
>     >     >     > Any ideas on what could I be missing here?
>     >     >
>     >     >     Does that 307 response come from a server (including
>     >     cache_peers) or is
>     >     >     it generated by Squid itself?
>     >     >
>     >     >     Alex.
>     >     >     _______________________________________________
>     >     >     squid-users mailing list
>     >     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>
>     >     >     http://lists.squid-cache.org/listinfo/squid-users
>     >     >
>     >
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use http_status acl?

Felipe Arturo Polanco
Thanks for the information Alex, we will handle this at ICAP level then.

Regards,

On Wed, Nov 6, 2019 at 2:24 PM Alex Rousskov <[hidden email]> wrote:
On 11/6/19 1:03 PM, Felipe Arturo Polanco wrote:
> 4.7 from this branch:
> https://github.com/measurement-factory/squid/tree/SQUID-323-WebSocket-support  

It looks like you are hitting a bug that has not been fixed yet:
reply_header_add/httpHdrAdd() does not supply essential transaction info
to ACL checks. There has been significant progress in fixing similar
bugs recently, but this one was somehow missed AFAICT.

Alex.


> On Wed, Nov 6, 2019 at 12:47 PM Alex Rousskov wrote:
>
>     On 11/6/19 8:49 AM, Felipe Arturo Polanco wrote:
>     > I have this warning in the logs:
>     >
>     > WARNING: 307_redirect ACL is used in context without an HTTP response.
>     > Assuming mismatch.
>     > Acl.cc(151) matches: checked: 307_redirect = 0
>     >
>     > I also tested using rep_header ACL and that causes the same
>     warning and
>     > defaulting to 0.
>     >
>     > Do I need anything else to make reply access lists to work?
>
>     What is your Squid version?
>
>     Alex.
>
>
>     > On Tue, Nov 5, 2019 at 6:01 PM Alex Rousskov wrote:
>     >
>     >     On 11/5/19 4:23 PM, Felipe Arturo Polanco wrote:
>     >     > I tried 200 status code from the
>     >     > webserver directly and doesn't work either.
>     >
>     >     Sounds like a Squid bug to me then. If you can reproduce with
>     Squid v4
>     >     or later, please consider filing a bug report in Squid
>     bugzilla. Quality
>     >     fixes welcomed.
>     >
>     >     Alex.
>     >
>     >
>     >     > On Tue, Nov 5, 2019 at 4:43 PM Alex Rousskov wrote:
>     >     >
>     >     >     On 11/5/19 3:06 PM, Felipe Arturo Polanco wrote:
>     >     >
>     >     >     > I have been trying to match http_status acl in my
>     squid.conf
>     >     file
>     >     >     but it
>     >     >     > has no effect.
>     >     >     >
>     >     >     > My goal is to add a given header to specific HTTP
>     return codes.
>     >     >     >
>     >     >     > eg:
>     >     >     > This works:
>     >     >     > acl user1 src 192.168.0.6/32 <http://192.168.0.6/32>
>     <http://192.168.0.6/32>
>     >     <http://192.168.0.6/32>
>     >     >     <http://192.168.0.6/32>
>     >     >     > reply_header_add Cache-Control "no-store" user1
>     >     >     >
>     >     >     > This doesn't work:
>     >     >     > acl 307_redirect http_status 307
>     >     >     > reply_header_add Cache-Control "no-store" 307_redirect
>     >     >     >
>     >     >     > Any ideas on what could I be missing here?
>     >     >
>     >     >     Does that 307 response come from a server (including
>     >     cache_peers) or is
>     >     >     it generated by Squid itself?
>     >     >
>     >     >     Alex.
>     >     >     _______________________________________________
>     >     >     squid-users mailing list
>     >     >     [hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>
>     >     >     <mailto:[hidden email]
>     <mailto:[hidden email]>
>     >     <mailto:[hidden email]
>     <mailto:[hidden email]>>>
>     >     >     http://lists.squid-cache.org/listinfo/squid-users
>     >     >
>     >
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users