'Re: [squid-users] adaptation_access not working with squid acl's'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] adaptation_access not working with squid acl's
From:       Stephen Stark <logic4life () gmail ! com>
Date:       2016-07-20 23:08:36
Message-ID: CAOKqvx5BkHKYUhUvHjh0RvMkR95RgvJmyHyFe0axmy-KPad7Jw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thank you myportname did the trick!

On Jul 16, 2016 8:21 AM, "Amos Jeffries" <squid3@treenet.co.nz> wrote:

> On 16/07/2016 2:38 a.m., Stephen Stark wrote:
> > Hello,
> >
> > I think I figured out what the problem is but I'd appreciate if someone
> > could check my reasoning.
> >
> > My ACL is type localport, so I'm targeting the original request to Squid
> > based on the Squid port the client is connecting to:
> >
> > acl test localport 4000
> >
> > Then I enable adaptation_access based on the ACL test:
> >
> > adaptation_access service_avi_req allow test
> > adaptation_access service_avi_resp allow test
> >
> > So here is where I think the problem is.  The client is connecting to
> Squid
> > on port 4000, so the initial request it put in the ACL "test", however
> for
> > some reason this ACL is not being
> > hit when adaptation_access is being used.
>
> Correct. Something named "Test" with an upper-case 'T' is being checked.
>
> > I'm wondering if the reason is
> > because localport is no longer the port the client connected to Squid on,
> > but rather the port Squid is using to connect to the ICAP server?
> >
> > I've verified with full debugging that the test ACL is not matched in the
> > adaptation checks:
> >
> > (initial request)
> >
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> > '64.182.224.149'
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:
> > '64.182.224.149' NOT found
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking
> 'none'
> > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT
> > found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > nobumpSites = 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rule) = 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test =
> 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rule) = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> (ssl_bump
> > rules) = 1
>
> Notice how the above are ssl_bump rules.
>
> http_access and adaptation_access checking for the initial request
> happen long before ssl_bump is reached.
>
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf3c2f8
> > answer ALLOWED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED
> >
> > (And now I'm guessing this is adaptation checking ACL's)
> >
>
> No need to guess. Squid logs the type of *_access that is being checked.
> see above about how I determined those were ssl_bump rules.
>  ...
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> > 192.168.100.6:61769' found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > http_access#1 = 1
>
> ... so these are http_access being checked.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > http_access = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf40bb8
> > answer ALLOWED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED
>
> ... the request is ALLOWED (to use the proxy) by http_access.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8
> > checking slow rules
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test =
> 0
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access#1 = 0
>
> ... this is adaptation_access.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '
> > 192.168.100.6:61769' found
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
>
> So, er, a line "adaptation_access ... deny all" is being checked.
>
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access#2 = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:
> > adaptation_access = 1
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished:
> 0xf3c2f8
> > answer DENIED for match
> > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:
> > ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED
>
> adaptation_access rules DENIED adaptation being used on this request.
>
>
> Port(s) were never considered. Only IP address to match the "all" ACL.
>
> What is the full set of adaptation_access line in your config ?
> It seems there are more or different entries from the ones you mentioned
> already.
>
> >
> > What I don't get however is in this above log entry snapshot, the client
> > source port (192.168.100.6) is shown, so I'd assume the localport would
> > match.
>
> Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or
> tproxy ?
>
> TCP port numbers are different in value and/or meaning for each of the
> above. It's things like that which are why the "myportname" ACL is
> preferred over any checking of the port values.
>
> Use name= option on any *_port to name it explicitly, otherwise its name
> will be the textual representation of whatever exists in the host:port /
> IP:port field of the line.
>
> >
> > This works if I change the ACL type to src IP address rather than
> > localport, however the whole point of this is because I have another
> > facility that is categorizing users by group and distributing them to
> Squid
> > on specific destination ports.  So I really need this to work based on
> > localport.
> >
> > Any thoughts?
> >
>
> Please try 'myportname' ACL.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

[Attachment #5 (text/html)]

<p dir="ltr">Thank you myportname did the trick!</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Jul 16, 2016 8:21 AM, \
&quot;Amos Jeffries&quot; &lt;<a \
href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>&gt; wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 16/07/2016 2:38 a.m., Stephen \
Stark wrote:<br> &gt; Hello,<br>
&gt;<br>
&gt; I think I figured out what the problem is but I&#39;d appreciate if someone<br>
&gt; could check my reasoning.<br>
&gt;<br>
&gt; My ACL is type localport, so I&#39;m targeting the original request to Squid<br>
&gt; based on the Squid port the client is connecting to:<br>
&gt;<br>
&gt; acl test localport 4000<br>
&gt;<br>
&gt; Then I enable adaptation_access based on the ACL test:<br>
&gt;<br>
&gt; adaptation_access service_avi_req allow test<br>
&gt; adaptation_access service_avi_resp allow test<br>
&gt;<br>
&gt; So here is where I think the problem is.   The client is connecting to Squid<br>
&gt; on port 4000, so the initial request it put in the ACL &quot;test&quot;, however \
for<br> &gt; some reason this ACL is not being<br>
&gt; hit when adaptation_access is being used.<br>
<br>
Correct. Something named &quot;Test&quot; with an upper-case &#39;T&#39; is being \
checked.<br> <br>
&gt; I&#39;m wondering if the reason is<br>
&gt; because localport is no longer the port the client connected to Squid on,<br>
&gt; but rather the port Squid is using to connect to the ICAP server?<br>
&gt;<br>
&gt; I&#39;ve verified with full debugging that the test ACL is not matched in \
the<br> &gt; adaptation checks:<br>
&gt;<br>
&gt; (initial request)<br>
&gt;<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8<br>
&gt; checking slow rules<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking<br>
&gt; &#39;64.182.224.149&#39;<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match:<br>
&gt; &#39;64.182.224.149&#39; NOT found<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking \
&#39;none&#39;<br> &gt; 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: \
&#39;none&#39; NOT<br> &gt; found<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
&gt; nobumpSites = 0<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump<br>
&gt; rule) = 0<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 1<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump<br>
&gt; rule) = 1<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump<br>
&gt; rules) = 1<br>
<br>
Notice how the above are ssl_bump rules.<br>
<br>
http_access and adaptation_access checking for the initial request<br>
happen long before ssl_bump is reached.<br>
<br>
<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8<br>
&gt; answer ALLOWED for match<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:<br>
&gt; ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED<br>
&gt;<br>
&gt; (And now I&#39;m guessing this is adaptation checking ACL&#39;s)<br>
&gt;<br>
<br>
No need to guess. Squid logs the type of *_access that is being checked.<br>
see above about how I determined those were ssl_bump rules.<br>
  ...<br>
<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8<br>
&gt; checking slow rules<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: &#39;<br>
&gt; <a href="http://192.168.100.6:61769" rel="noreferrer" \
target="_blank">192.168.100.6:61769</a>&#39; found<br> &gt; 2016/07/15 10:32:44.246 \
kid1| 28,3| Acl.cc(158) matches: checked:<br> &gt; http_access#1 = 1<br>
<br>
... so these are http_access being checked.<br>
<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
&gt; http_access = 1<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf40bb8<br>
&gt; answer ALLOWED for match<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:<br>
&gt; ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED<br>
<br>
... the request is ALLOWED (to use the proxy) by http_access.<br>
<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8<br>
&gt; checking slow rules<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 0<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
&gt; adaptation_access#1 = 0<br>
<br>
... this is adaptation_access.<br>
<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: &#39;<br>
&gt; <a href="http://192.168.100.6:61769" rel="noreferrer" \
target="_blank">192.168.100.6:61769</a>&#39; found<br> &gt; 2016/07/15 10:32:44.246 \
kid1| 28,3| Acl.cc(158) matches: checked: all = 1<br> <br>
So, er, a line &quot;adaptation_access ... deny all&quot; is being checked.<br>
<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
&gt; adaptation_access#2 = 1<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked:<br>
&gt; adaptation_access = 1<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8<br>
&gt; answer DENIED for match<br>
&gt; 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback:<br>
&gt; ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED<br>
<br>
adaptation_access rules DENIED adaptation being used on this request.<br>
<br>
<br>
Port(s) were never considered. Only IP address to match the &quot;all&quot; ACL.<br>
<br>
What is the full set of adaptation_access line in your config ?<br>
It seems there are more or different entries from the ones you mentioned<br>
already.<br>
<br>
&gt;<br>
&gt; What I don&#39;t get however is in this above log entry snapshot, the client<br>
&gt; source port (192.168.100.6) is shown, so I&#39;d assume the localport would<br>
&gt; match.<br>
<br>
Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or<br>
tproxy ?<br>
<br>
TCP port numbers are different in value and/or meaning for each of the<br>
above. It&#39;s things like that which are why the &quot;myportname&quot; ACL is<br>
preferred over any checking of the port values.<br>
<br>
Use name= option on any *_port to name it explicitly, otherwise its name<br>
will be the textual representation of whatever exists in the host:port /<br>
IP:port field of the line.<br>
<br>
&gt;<br>
&gt; This works if I change the ACL type to src IP address rather than<br>
&gt; localport, however the whole point of this is because I have another<br>
&gt; facility that is categorizing users by group and distributing them to Squid<br>
&gt; on specific destination ports.   So I really need this to work based on<br>
&gt; localport.<br>
&gt;<br>
&gt; Any thoughts?<br>
&gt;<br>
<br>
Please try &#39;myportname&#39; ACL.<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
 <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" \
target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br> \
</blockquote></div></div>


[Attachment #6 (text/plain)]

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic