|Summary:||ACL dstdomain matching fails|
|Product:||[Retired] Red Hat Linux||Reporter:||Russell Tweed <rtweed>|
|Component:||squid||Assignee:||Bill Nottingham <notting>|
|Status:||CLOSED RAWHIDE||QA Contact:|
|Version:||6.2||CC:||ewt, pbrown, rvokal|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2000-11-07 04:10:00 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Russell Tweed 2000-09-05 08:58:02 UTC
dstdomain matching does not work correctly. Given access granted to all, save for one ACL (e.g.): acl site0 dstdomain "/home/squid/site0" http_access allow site0 http_access deny all where the file site0 contains: www.lbs-bayern.de www.sparkassenverband-bayern.de www.bayern.de the first access through Squid will work correctly, but then any subsequent accesses to any of these domains will work randomly around 30% of the time, otherwise resulting in a 403 DENIED error. There appears to be no predictability as to which domains will work and which won't. This bug is addressed in Squid-2.3DEVEL3 and again in Squid-2.3STABLE2, however neither fix the problem completely. The problem is still present in Squid-2.3STABLE4.
Comment 1 Russell Tweed 2000-09-05 08:59:28 UTC
Created attachment 3240 [details] Sample squid.conf file
Comment 2 Russell Tweed 2000-09-05 09:04:51 UTC
Problem was reported to squid-bugs mailing list on 23th August, no response as yet!
Comment 3 Bill Nottingham 2000-09-30 03:20:34 UTC
Patch sent on sept. 19; I've gotten *zero* response. I'm closing this.
Comment 4 Bill Nottingham 2000-09-30 03:21:14 UTC
Created attachment 3575 [details] patch to fix this problem
Comment 5 Russell Tweed 2000-11-03 13:06:54 UTC
Patch appears to fix problem; however it also appears to create other problems: In the example above, after applying the patch, bayern.de and www.lbs-bayern.de do not work (ie, obey the rules) when they should.
Comment 6 Bill Nottingham 2000-11-07 03:16:37 UTC
I can't reproduce that with this patch; with the config supplied, www.lbs-bayern.de is allowed, and bayern.de is (correctly) denied.
Comment 7 Bill Nottingham 2000-11-07 04:09:15 UTC
Here's another patch. squid was using one comparison routine when adding entries to the tree, and another when searching it. Not good.
Comment 8 Bill Nottingham 2000-11-07 04:09:57 UTC
Created attachment 5119 [details] a second patch to solve the domain matching problems
Comment 9 Bill Nottingham 2000-11-11 20:27:06 UTC
After discussions with Bernd, it appears that the first patch is in error. With just the second patch, it seems to work OK. This will be fixed in squid-2.3.STABLE4-3, which will be in the next rawhide release.