Bug 17247 - ACL dstdomain matching fails
Summary: ACL dstdomain matching fails
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: squid
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2000-09-05 08:58 UTC by Russell Tweed
Modified: 2014-03-17 02:16 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2000-11-07 04:10:00 UTC

Attachments (Terms of Use)
Sample squid.conf file (64.59 KB, text/plain)
2000-09-05 08:59 UTC, Russell Tweed
no flags Details
patch to fix this problem (922 bytes, patch)
2000-09-30 03:21 UTC, Bill Nottingham
no flags Details | Diff
a second patch to solve the domain matching problems (421 bytes, patch)
2000-11-07 04:09 UTC, Bill Nottingham
no flags Details | Diff

Description Russell Tweed 2000-09-05 08:58:02 UTC
dstdomain matching does not work correctly. Given access granted to all,
save for one ACL (e.g.):

acl site0 dstdomain "/home/squid/site0"

http_access allow site0
http_access deny all

where the file site0 contains:


the first access through Squid will work correctly, but then any subsequent
accesses to any of these domains will work randomly around 30% of the time,
otherwise resulting in a 403 DENIED error. There appears to be no
predictability as to which domains will work and which won't.

This bug is addressed in Squid-2.3DEVEL3 and again in Squid-2.3STABLE2,
however neither fix the problem completely. The problem is still present in

Comment 1 Russell Tweed 2000-09-05 08:59:28 UTC
Created attachment 3240 [details]
Sample squid.conf file

Comment 2 Russell Tweed 2000-09-05 09:04:51 UTC
Problem was reported to squid-bugs mailing list on 23th August, no response as

Comment 3 Bill Nottingham 2000-09-30 03:20:34 UTC
Patch sent on sept. 19; I've gotten *zero* response.

I'm closing this.

Comment 4 Bill Nottingham 2000-09-30 03:21:14 UTC
Created attachment 3575 [details]
patch to fix this problem

Comment 5 Russell Tweed 2000-11-03 13:06:54 UTC
Patch appears to fix problem; however it also appears to create other problems:

In the example above, after applying the patch, bayern.de and www.lbs-bayern.de
do not work (ie, obey the rules) when they should.

Comment 6 Bill Nottingham 2000-11-07 03:16:37 UTC
I can't reproduce that with this patch;
with the config supplied, www.lbs-bayern.de is allowed,
and bayern.de is (correctly) denied.

Comment 7 Bill Nottingham 2000-11-07 04:09:15 UTC
Here's another patch. squid was using one comparison
routine when adding entries to the tree, and another
when searching it. Not good.

Comment 8 Bill Nottingham 2000-11-07 04:09:57 UTC
Created attachment 5119 [details]
a second patch to solve the domain matching problems

Comment 9 Bill Nottingham 2000-11-11 20:27:06 UTC
After discussions with Bernd, it appears that the first patch is in
error. With just the second patch, it seems to work OK. This will
be fixed in squid-2.3.STABLE4-3, which will be in the next rawhide

Note You need to log in before you can comment on or make changes to this bug.