Thank you myportname did the trick! On Jul 16, 2016 8:21 AM, "Amos Jeffries" <squ...@treenet.co.nz> wrote:
> On 16/07/2016 2:38 a.m., Stephen Stark wrote: > > Hello, > > > > I think I figured out what the problem is but I'd appreciate if someone > > could check my reasoning. > > > > My ACL is type localport, so I'm targeting the original request to Squid > > based on the Squid port the client is connecting to: > > > > acl test localport 4000 > > > > Then I enable adaptation_access based on the ACL test: > > > > adaptation_access service_avi_req allow test > > adaptation_access service_avi_resp allow test > > > > So here is where I think the problem is. The client is connecting to > Squid > > on port 4000, so the initial request it put in the ACL "test", however > for > > some reason this ACL is not being > > hit when adaptation_access is being used. > > Correct. Something named "Test" with an upper-case 'T' is being checked. > > > I'm wondering if the reason is > > because localport is no longer the port the client connected to Squid on, > > but rather the port Squid is using to connect to the ICAP server? > > > > I've verified with full debugging that the test ACL is not matched in the > > adaptation checks: > > > > (initial request) > > > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8 > > checking slow rules > > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking > > '64.182.224.149' > > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: > > '64.182.224.149' NOT found > > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking > 'none' > > 2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT > > found > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > > nobumpSites = 0 > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > (ssl_bump > > rule) = 0 > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = > 1 > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > (ssl_bump > > rule) = 1 > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > (ssl_bump > > rules) = 1 > > Notice how the above are ssl_bump rules. > > http_access and adaptation_access checking for the initial request > happen long before ssl_bump is reached. > > > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: > 0xf3c2f8 > > answer ALLOWED for match > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: > > ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED > > > > (And now I'm guessing this is adaptation checking ACL's) > > > > No need to guess. Squid logs the type of *_access that is being checked. > see above about how I determined those were ssl_bump rules. > ... > > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8 > > checking slow rules > > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: ' > > 192.168.100.6:61769' found > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > > http_access#1 = 1 > > ... so these are http_access being checked. > > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > > http_access = 1 > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: > 0xf40bb8 > > answer ALLOWED for match > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: > > ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED > > ... the request is ALLOWED (to use the proxy) by http_access. > > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8 > > checking slow rules > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = > 0 > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > > adaptation_access#1 = 0 > > ... this is adaptation_access. > > > 2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: ' > > 192.168.100.6:61769' found > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1 > > So, er, a line "adaptation_access ... deny all" is being checked. > > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > > adaptation_access#2 = 1 > > 2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: > > adaptation_access = 1 > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: > 0xf3c2f8 > > answer DENIED for match > > 2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: > > ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED > > adaptation_access rules DENIED adaptation being used on this request. > > > Port(s) were never considered. Only IP address to match the "all" ACL. > > What is the full set of adaptation_access line in your config ? > It seems there are more or different entries from the ones you mentioned > already. > > > > > What I don't get however is in this above log entry snapshot, the client > > source port (192.168.100.6) is shown, so I'd assume the localport would > > match. > > Is the traffic explicit/forward-proxy, reverse-proxy, intercepted or > tproxy ? > > TCP port numbers are different in value and/or meaning for each of the > above. It's things like that which are why the "myportname" ACL is > preferred over any checking of the port values. > > Use name= option on any *_port to name it explicitly, otherwise its name > will be the textual representation of whatever exists in the host:port / > IP:port field of the line. > > > > > This works if I change the ACL type to src IP address rather than > > localport, however the whole point of this is because I have another > > facility that is categorizing users by group and distributing them to > Squid > > on specific destination ports. So I really need this to work based on > > localport. > > > > Any thoughts? > > > > Please try 'myportname' ACL. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
