[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] adaptation_access not working with squid acl's
From: Stephen Stark <logic4life () gmail ! com>
Date: 2016-07-20 23:08:36
Message-ID: CAOKqvx5BkHKYUhUvHjh0RvMkR95RgvJmyHyFe0axmy-KPad7Jw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thank you myportname did the trick!
On Jul 16, 2016 8:21 AM, "Amos Jeffries" <squid3@treenet.co.nz> wrote:
> On 16/07/2016 2:38 a.m., Stephen Stark wrote:
> > Hello,
> >
> > I think I figured out what the problem is but I'd appreciate if someone
> > could check my reasoning.
> >
> > My ACL is type localport, so I'm targeting the original request to Squid
> > based on the Squid port the client is connecting to:
> >
> > acl test localport 4000
> >
> > Then I enable adaptation_access based on the ACL test:
> >
> > adaptation_access service_avi_req allow test
> > adaptation_access service_avi_resp allow test
> >
> > So here is where I think the problem is. The client is connecting to
> Squid
> > on port 4000, so the initial request it put in the ACL "test", however
> for
> > some reason this ACL is not being
> > hit when adaptation_access is being used.
>
> Correct. Something named "Test" with an upper-case 'T' is being checked.
>
> > I'm wondering if the reason is
> > because localport is no longer the port the client connected to Squid on,
> > but rather the port Squid is using to connect to the ICAP server?
> >
> > I've verified with full debugging that the test ACL is not matched in the
> > adaptation checks:
> >
> > (initial request)
> >
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> > '64.182.224.149'
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:
> > '64.182.224.149' NOT found
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> 'none'
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> > found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > nobumpSites = 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rule) = 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test =
> 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rule) = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rules) = 1
>
> Notice how the above are ssl_bump rules.
>
> http_access and adaptation_access checking for the initial request
> happen long before ssl_bump is reached.
>
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf3c2f8
> > answer ALLOWED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED
> >
> > (And now I'm guessing this is adaptation checking ACL's)
> >
>
> No need to guess. Squid logs the type of *_access that is being checked.
> see above about how I determined those were ssl_bump rules.
> ...
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> > 192.168.100.6:61769' found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > http_access#1 = 1
>
> ... so these are http_access being checked.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > http_access = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf40bb8
> > answer ALLOWED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED
>
> ... the request is ALLOWED (to use the proxy) by http_access.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test =
> 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access#1 = 0
>
> ... this is adaptation_access.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> > 192.168.100.6:61769' found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
>
> So, er, a line "adaptation_access ... deny all" is being checked.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access#2 = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf3c2f8
> > answer DENIED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED
>
> adaptation_access rules DENIED adaptation being used on this request.
>
>
> Port(s) were never considered. Only IP address to match the "all" ACL.
>
> What is the full set of adaptation_access line in your config ?
> It seems there are more or different entries from the ones you mentioned
> already.
>
> >
> > What I don't get however is in this above log entry snapshot, the client
> > source port (192.168.100.6) is shown, so I'd assume the localport would
> > match.
>
> Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or
> tproxy ?
>
> TCP port numbers are different in value and/or meaning for each of the
> above. It's things like that which are why the "myportname" ACL is
> preferred over any checking of the port values.
>
> Use name= option on any *_port to name it explicitly, otherwise its name
> will be the textual representation of whatever exists in the host:port /
> IP:port field of the line.
>
> >
> > This works if I change the ACL type to src IP address rather than
> > localport, however the whole point of this is because I have another
> > facility that is categorizing users by group and distributing them to
> Squid
> > on specific destination ports. So I really need this to work based on
> > localport.
> >
> > Any thoughts?
> >
>
> Please try 'myportname' ACL.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
[Attachment #5 (text/html)]
<p dir="ltr">Thank you myportname did the trick!</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Jul 16, 2016 8:21 AM, \
"Amos Jeffries" <<a \
href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 16/07/2016 2:38 a.m., Stephen \
Stark wrote:<br> > Hello,<br>
><br>
> I think I figured out what the problem is but I'd appreciate if someone<br>
> could check my reasoning.<br>
><br>
> My ACL is type localport, so I'm targeting the original request to Squid<br>
> based on the Squid port the client is connecting to:<br>
><br>
> acl test localport 4000<br>
><br>
> Then I enable adaptation_access based on the ACL test:<br>
><br>
> adaptation_access service_avi_req allow test<br>
> adaptation_access service_avi_resp allow test<br>
><br>
> So here is where I think the problem is. The client is connecting to Squid<br>
> on port 4000, so the initial request it put in the ACL "test", however \
for<br> > some reason this ACL is not being<br>
> hit when adaptation_access is being used.<br>
<br>
Correct. Something named "Test" with an upper-case 'T' is being \
checked.<br> <br>
> I'm wondering if the reason is<br>
> because localport is no longer the port the client connected to Squid on,<br>
> but rather the port Squid is using to connect to the ICAP server?<br>
><br>
> I've verified with full debugging that the test ACL is not matched in \
the<br> > adaptation checks:<br>
><br>
> (initial request)<br>
><br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8<br>
> checking slow rules<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking<br>
> '64.182.224.149'<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:<br>
> '64.182.224.149' NOT found<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking \
'none'<br> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: \
'none' NOT<br> > found<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
> nobumpSites = 0<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump<br>
> rule) = 0<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 1<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump<br>
> rule) = 1<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump<br>
> rules) = 1<br>
<br>
Notice how the above are ssl_bump rules.<br>
<br>
http_access and adaptation_access checking for the initial request<br>
happen long before ssl_bump is reached.<br>
<br>
<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8<br>
> answer ALLOWED for match<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:<br>
> ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED<br>
><br>
> (And now I'm guessing this is adaptation checking ACL's)<br>
><br>
<br>
No need to guess. Squid logs the type of *_access that is being checked.<br>
see above about how I determined those were ssl_bump rules.<br>
...<br>
<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8<br>
> checking slow rules<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<br>
> <a href="http://192.168.100.6:61769" rel="noreferrer" \
target="_blank">192.168.100.6:61769</a>' found<br> > 2016/07/15 10:32:44.246 \
kid1| 28,3| Acl.cc(158) matches: checked:<br> > http_access#1 = 1<br>
<br>
... so these are http_access being checked.<br>
<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
> http_access = 1<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf40bb8<br>
> answer ALLOWED for match<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:<br>
> ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED<br>
<br>
... the request is ALLOWED (to use the proxy) by http_access.<br>
<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8<br>
> checking slow rules<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 0<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
> adaptation_access#1 = 0<br>
<br>
... this is adaptation_access.<br>
<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<br>
> <a href="http://192.168.100.6:61769" rel="noreferrer" \
target="_blank">192.168.100.6:61769</a>' found<br> > 2016/07/15 10:32:44.246 \
kid1| 28,3| Acl.cc(158) matches: checked: all = 1<br> <br>
So, er, a line "adaptation_access ... deny all" is being checked.<br>
<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
> adaptation_access#2 = 1<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
> adaptation_access = 1<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8<br>
> answer DENIED for match<br>
> 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:<br>
> ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED<br>
<br>
adaptation_access rules DENIED adaptation being used on this request.<br>
<br>
<br>
Port(s) were never considered. Only IP address to match the "all" ACL.<br>
<br>
What is the full set of adaptation_access line in your config ?<br>
It seems there are more or different entries from the ones you mentioned<br>
already.<br>
<br>
><br>
> What I don't get however is in this above log entry snapshot, the client<br>
> source port (192.168.100.6) is shown, so I'd assume the localport would<br>
> match.<br>
<br>
Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or<br>
tproxy ?<br>
<br>
TCP port numbers are different in value and/or meaning for each of the<br>
above. It's things like that which are why the "myportname" ACL is<br>
preferred over any checking of the port values.<br>
<br>
Use name= option on any *_port to name it explicitly, otherwise its name<br>
will be the textual representation of whatever exists in the host:port /<br>
IP:port field of the line.<br>
<br>
><br>
> This works if I change the ACL type to src IP address rather than<br>
> localport, however the whole point of this is because I have another<br>
> facility that is categorizing users by group and distributing them to Squid<br>
> on specific destination ports. So I really need this to work based on<br>
> localport.<br>
><br>
> Any thoughts?<br>
><br>
<br>
Please try 'myportname' ACL.<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" \
target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br> \
</blockquote></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic