Bug 17247 - ACL dstdomain matching fails
Summary: ACL dstdomain matching fails
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: squid   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-09-05 08:58 UTC by Russell Tweed
Modified: 2014-03-17 02:16 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-07 04:10:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Sample squid.conf file (64.59 KB, text/plain)
2000-09-05 08:59 UTC, Russell Tweed
no flags Details
patch to fix this problem (922 bytes, patch)
2000-09-30 03:21 UTC, Bill Nottingham
no flags Details | Diff
a second patch to solve the domain matching problems (421 bytes, patch)
2000-11-07 04:09 UTC, Bill Nottingham
no flags Details | Diff

Description Russell Tweed 2000-09-05 08:58:02 UTC
dstdomain matching does not work correctly. Given access granted to all,
save for one ACL (e.g.):

acl site0 dstdomain "/home/squid/site0"

http_access allow site0
http_access deny all

where the file site0 contains:

www.lbs-bayern.de
www.sparkassenverband-bayern.de
www.bayern.de

the first access through Squid will work correctly, but then any subsequent
accesses to any of these domains will work randomly around 30% of the time,
otherwise resulting in a 403 DENIED error. There appears to be no
predictability as to which domains will work and which won't.

This bug is addressed in Squid-2.3DEVEL3 and again in Squid-2.3STABLE2,
however neither fix the problem completely. The problem is still present in
Squid-2.3STABLE4.

Comment 1 Russell Tweed 2000-09-05 08:59:28 UTC
Created attachment 3240 [details]
Sample squid.conf file

Comment 2 Russell Tweed 2000-09-05 09:04:51 UTC
Problem was reported to squid-bugs mailing list on 23th August, no response as
yet!

Comment 3 Bill Nottingham 2000-09-30 03:20:34 UTC
Patch sent on sept. 19; I've gotten *zero* response.

I'm closing this.

Comment 4 Bill Nottingham 2000-09-30 03:21:14 UTC
Created attachment 3575 [details]
patch to fix this problem

Comment 5 Russell Tweed 2000-11-03 13:06:54 UTC
Patch appears to fix problem; however it also appears to create other problems:

In the example above, after applying the patch, bayern.de and www.lbs-bayern.de
do not work (ie, obey the rules) when they should.


Comment 6 Bill Nottingham 2000-11-07 03:16:37 UTC
I can't reproduce that with this patch;
with the config supplied, www.lbs-bayern.de is allowed,
and bayern.de is (correctly) denied.

Comment 7 Bill Nottingham 2000-11-07 04:09:15 UTC
Here's another patch. squid was using one comparison
routine when adding entries to the tree, and another
when searching it. Not good.

Comment 8 Bill Nottingham 2000-11-07 04:09:57 UTC
Created attachment 5119 [details]
a second patch to solve the domain matching problems

Comment 9 Bill Nottingham 2000-11-11 20:27:06 UTC
After discussions with Bernd, it appears that the first patch is in
error. With just the second patch, it seems to work OK. This will
be fixed in squid-2.3.STABLE4-3, which will be in the next rawhide
release.


Note You need to log in before you can comment on or make changes to this bug.