Bug 17247

Summary: ACL dstdomain matching fails
Product: [Retired] Red Hat Linux Reporter: Russell Tweed <rtweed>
Component: squidAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: ewt, pbrown, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-11-07 04:10:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
Sample squid.conf file
patch to fix this problem
a second patch to solve the domain matching problems none

Description Russell Tweed 2000-09-05 08:58:02 UTC
dstdomain matching does not work correctly. Given access granted to all,
save for one ACL (e.g.):

acl site0 dstdomain "/home/squid/site0"

http_access allow site0
http_access deny all

where the file site0 contains:


the first access through Squid will work correctly, but then any subsequent
accesses to any of these domains will work randomly around 30% of the time,
otherwise resulting in a 403 DENIED error. There appears to be no
predictability as to which domains will work and which won't.

This bug is addressed in Squid-2.3DEVEL3 and again in Squid-2.3STABLE2,
however neither fix the problem completely. The problem is still present in

Comment 1 Russell Tweed 2000-09-05 08:59:28 UTC
Created attachment 3240 [details]
Sample squid.conf file

Comment 2 Russell Tweed 2000-09-05 09:04:51 UTC
Problem was reported to squid-bugs mailing list on 23th August, no response as

Comment 3 Bill Nottingham 2000-09-30 03:20:34 UTC
Patch sent on sept. 19; I've gotten *zero* response.

I'm closing this.

Comment 4 Bill Nottingham 2000-09-30 03:21:14 UTC
Created attachment 3575 [details]
patch to fix this problem

Comment 5 Russell Tweed 2000-11-03 13:06:54 UTC
Patch appears to fix problem; however it also appears to create other problems:

In the example above, after applying the patch, bayern.de and www.lbs-bayern.de
do not work (ie, obey the rules) when they should.

Comment 6 Bill Nottingham 2000-11-07 03:16:37 UTC
I can't reproduce that with this patch;
with the config supplied, www.lbs-bayern.de is allowed,
and bayern.de is (correctly) denied.

Comment 7 Bill Nottingham 2000-11-07 04:09:15 UTC
Here's another patch. squid was using one comparison
routine when adding entries to the tree, and another
when searching it. Not good.

Comment 8 Bill Nottingham 2000-11-07 04:09:57 UTC
Created attachment 5119 [details]
a second patch to solve the domain matching problems

Comment 9 Bill Nottingham 2000-11-11 20:27:06 UTC
After discussions with Bernd, it appears that the first patch is in
error. With just the second patch, it seems to work OK. This will
be fixed in squid-2.3.STABLE4-3, which will be in the next rawhide