Re: [squid-users] ACLs and localhost

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 25 Mar 2008 13:09:02 +1300

paul cooper wrote:
> there is something in all this i really am not understanding.Sorry to be
> so stupid.
>
> AIUI now, it looks at the ACLs and processes them until it finds one that
> matches, and then it stops matching them and allows access. It will only
> deny a page when its has processed all the ACLS and NOT found a match.
>

There are two slightly different things involved here:
   ACL and ACCESS

Squid check all ACCESS lines _in the order configured_ .
The first that matches is used, end of story #1.

In order to process any single ACCESS line squid must check the ACL
listed in it. It only matches if all the ACL _on that line_ are matched.

The behaviour you are thinking of applies just to the ACL within a
single ACCESS line.

So to take an example from your config:

  http_access allow emma weekends
        - will ONLY accept if emma is true AND weekends is true
        - will never deny anything
        - wont match if emma is false OR weekends is false

   http_access allow Safe_ports
        - will ONLY accept if (line above it don't match) AND Safe_ports is true
        - will never deny anything.
        - wont match if Safe_ports is false.

So we end up with three actions from each ACCESS line:
        ALLOW
        DENY
        TRY-NEXT-LINE

> if i have only 1 authenticated user (emma) then the time based ACL
> ('testing') it denies access as it should .
> When i add another user access (http_access allow andrew) the browser
> authentication box comes up , i put in 'emma' and it gives me access.
> Im restarting squid and clearing the browser cache between all these
> attempts.

The deny/accept is happening in places you are not expecting them to occur.

Your ACL are working, ACCESS are not.

>
>
>
> hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe'
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl andrew proxy_auth REQUIRED
> acl emma proxy_auth REQUIRED
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
> acl testing time MTWHF 07:30-08:00
> hepworth emma # grep ^http /etc/squid/squid.conf
> http_port 3128
> http_access allow emma testing
> http_access deny localhost
> http_access deny all
> hepworth emma #
>
> 2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
> 2008/03/24 09:52:44| aclMatchAclList: checking all
> 2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
> 2008/03/24 09:52:44| aclMatchAclList: returning 1
> 2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
> 2008/03/24 09:52:44| aclMatchAclList: checking emma
> 2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
> 2008/03/24 09:52:44| aclMatchUser: user is emma, case_insensitive is 0
> 2008/03/24 09:52:44| Top is (nil), Top->data is Unavailable
> 2008/03/24 09:52:44| aclMatchUser: user REQUIRED and auth-info present.

... username OK.

> 2008/03/24 09:52:44| aclMatchAclList: checking testing
> 2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF
> 07:30-08:00'
> 2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e

... NOT within the (testing) time configured.

> 2008/03/24 09:52:44| aclMatchAclList: no match, returning 0

(http_access allow emma testing) failed to match.

... moving on to try the next one....

> 2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'

> 2008/03/24 09:52:44| aclMatchAclList: checking localhost
> 2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
> 127.0.0.1/255.255.255.255'
> 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found

.. you are on localhost. ACL matches.

> 2008/03/24 09:52:44| aclMatchAclList: returning 1

... do whatever the http_access is supposed to do with it...

> 2008/03/24 09:52:44| aclCheck: match found, returning 0

... which is a DENY ...

> 2008/03/24 09:52:44| aclCheckCallback: answer=0
> 2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/ is DENIED,
> because it matched 'localhost'

... send the denial message.

<snip the ACL testing for the reply 5xx/4xx message>

>
>
> hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe_ports'
> <as before>
>
> hepworth emma # cat /etc/squid/squid.conf |grep ^http
> http_port 3128
> http_access allow emma testing
> http_access allow andrew
> http_access deny localhost
> http_access deny all
> hepworth emma #

Translated from config to English:

   (emma when logged in) only on (weekends) CAN get through.
   (andrew) CAN get through at any time.

   (others) using (machine localhost) NOT allowed
   (others) NOT allowed

>
>
>
> 2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
> 2008/03/24 09:56:04| aclMatchAclList: checking all
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
> 2008/03/24 09:56:04| aclMatchAclList: checking emma
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
> 2008/03/24 09:56:04| aclMatchUser: user is emma, case_insensitive is 0
> 2008/03/24 09:56:04| Top is (nil), Top->data is Unavailable
> 2008/03/24 09:56:04| aclMatchUser: user REQUIRED and auth-info present.
> 2008/03/24 09:56:04| aclMatchAclList: checking testing
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl testing time MTWHF
> 07:30-08:00'
> 2008/03/24 09:56:04| aclMatchTime: checking 596 in 450-480, weekbits=3e
> 2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
> 2008/03/24 09:56:04| aclCheck: checking 'http_access allow andrew'
> 2008/03/24 09:56:04| aclMatchAclList: checking andrew
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
> 2008/03/24 09:56:04| aclMatchUser: user is emma, case_insensitive is 0
> 2008/03/24 09:56:04| Top is (nil), Top->data is Unavailable
> 2008/03/24 09:56:04| aclMatchUser: user REQUIRED and auth-info present.
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: match found, returning 1
> 2008/03/24 09:56:04| aclCheckCallback: answer=1
> 2008/03/24 09:56:04| The request GET http://grolma.no-ip.org/ is ALLOWED,
> because it matched 'andrew'
> 2008/03/24 09:56:04| aclCheck: checking 'cache deny QUERY'
> 2008/03/24 09:56:04| aclMatchAclList: checking QUERY
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl QUERY urlpath_regex
> cgi-bin \?'
> 2008/03/24 09:56:04| aclMatchRegex: checking '/'
> 2008/03/24 09:56:04| aclMatchRegex: looking for 'cgi-bin'
> 2008/03/24 09:56:04| aclMatchRegex: looking for '\?'
> 2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
> 2008/03/24 09:56:04| aclCheck: NO match found, returning 1
> 2008/03/24 09:56:04| aclCheckCallback: answer=1
> 2008/03/24 09:56:04| clientProcessHit: HIT
> 2008/03/24 09:56:04| aclCheckFast: list: 0x82ab2b0
> 2008/03/24 09:56:04| aclMatchAclList: checking all
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: checking 'http_reply_access allow all'
> 2008/03/24 09:56:04| aclMatchAclList: checking all
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: match found, returning 1
> 2008/03/24 09:56:04| aclCheckCallback: answer=1
> 2008/03/24 09:56:04| The reply for GET http://grolma.no-ip.org/ is
> ALLOWED, because it matched 'all'
> 2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
> 2008/03/24 09:56:04| aclMatchAclList: checking all
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
> 2008/03/24 09:56:04| aclMatchAclList: checking emma
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
> 2008/03/24 09:56:04| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
> 2008/03/24 09:56:04| aclMatchAclList: checking testing
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl testing time MTWHF
> 07:30-08:00'
> 2008/03/24 09:56:04| aclMatchTime: checking 596 in 450-480, weekbits=3e
> 2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
> 2008/03/24 09:56:04| aclCheck: checking 'http_access allow andrew'
> 2008/03/24 09:56:04| aclMatchAclList: checking andrew
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
> 2008/03/24 09:56:04| aclCacheMatchAcl: cache hit on acl '0x82a7d38'
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: match found, returning 1
> 2008/03/24 09:56:04| aclCheckCallback: answer=1
> 2008/03/24 09:56:04| The request GET http://grolma.no-ip.org/favicon.ico
> is ALLOWED, because it matched 'andrew'
> 2008/03/24 09:56:04| aclCheck: checking 'cache deny QUERY'
> 2008/03/24 09:56:04| aclMatchAclList: checking QUERY
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl QUERY urlpath_regex
> cgi-bin \?'
> 2008/03/24 09:56:04| aclMatchRegex: checking '/favicon.ico'
> 2008/03/24 09:56:04| aclMatchRegex: looking for 'cgi-bin'
> 2008/03/24 09:56:04| aclMatchRegex: looking for '\?'
> 2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
> 2008/03/24 09:56:04| aclCheck: NO match found, returning 1
> 2008/03/24 09:56:04| aclCheckCallback: answer=1
> 2008/03/24 09:56:04| aclCheckFast: list: 0x82ab2b0
> 2008/03/24 09:56:04| aclMatchAclList: checking all
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: checking 'http_reply_access allow all'
> 2008/03/24 09:56:04| aclMatchAclList: checking all
> 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
> 2008/03/24 09:56:04| aclMatchAclList: returning 1
> 2008/03/24 09:56:04| aclCheck: match found, returning 1
> 2008/03/24 09:56:04| aclCheckCallback: answer=1
> 2008/03/24 09:56:04| The reply for GET http://grolma.no-ip.org/favicon.ico
> is ALLOWED, because it matched 'all'
> hepworth emma #
>
> 

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Mar 25 2008 - 04:53:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT