Bug 17247 - ACL dstdomain matching fails
ACL dstdomain matching fails
Product: Red Hat Linux
Classification: Retired
Component: squid (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Depends On:
  Show dependency treegraph
Reported: 2000-09-05 04:58 EDT by Russell Tweed
Modified: 2014-03-16 22:16 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-11-06 23:10:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Sample squid.conf file (64.59 KB, text/plain)
2000-09-05 04:59 EDT, Russell Tweed
no flags Details
patch to fix this problem (922 bytes, patch)
2000-09-29 23:21 EDT, Bill Nottingham
no flags Details | Diff
a second patch to solve the domain matching problems (421 bytes, patch)
2000-11-06 23:09 EST, Bill Nottingham
no flags Details | Diff

  None (edit)
Description Russell Tweed 2000-09-05 04:58:02 EDT
dstdomain matching does not work correctly. Given access granted to all,
save for one ACL (e.g.):

acl site0 dstdomain "/home/squid/site0"

http_access allow site0
http_access deny all

where the file site0 contains:


the first access through Squid will work correctly, but then any subsequent
accesses to any of these domains will work randomly around 30% of the time,
otherwise resulting in a 403 DENIED error. There appears to be no
predictability as to which domains will work and which won't.

This bug is addressed in Squid-2.3DEVEL3 and again in Squid-2.3STABLE2,
however neither fix the problem completely. The problem is still present in
Comment 1 Russell Tweed 2000-09-05 04:59:28 EDT
Created attachment 3240 [details]
Sample squid.conf file
Comment 2 Russell Tweed 2000-09-05 05:04:51 EDT
Problem was reported to squid-bugs mailing list on 23th August, no response as
Comment 3 Bill Nottingham 2000-09-29 23:20:34 EDT
Patch sent on sept. 19; I've gotten *zero* response.

I'm closing this.
Comment 4 Bill Nottingham 2000-09-29 23:21:14 EDT
Created attachment 3575 [details]
patch to fix this problem
Comment 5 Russell Tweed 2000-11-03 08:06:54 EST
Patch appears to fix problem; however it also appears to create other problems:

In the example above, after applying the patch, bayern.de and www.lbs-bayern.de
do not work (ie, obey the rules) when they should.
Comment 6 Bill Nottingham 2000-11-06 22:16:37 EST
I can't reproduce that with this patch;
with the config supplied, www.lbs-bayern.de is allowed,
and bayern.de is (correctly) denied.
Comment 7 Bill Nottingham 2000-11-06 23:09:15 EST
Here's another patch. squid was using one comparison
routine when adding entries to the tree, and another
when searching it. Not good.
Comment 8 Bill Nottingham 2000-11-06 23:09:57 EST
Created attachment 5119 [details]
a second patch to solve the domain matching problems
Comment 9 Bill Nottingham 2000-11-11 15:27:06 EST
After discussions with Bernd, it appears that the first patch is in
error. With just the second patch, it seems to work OK. This will
be fixed in squid-2.3.STABLE4-3, which will be in the next rawhide

Note You need to log in before you can comment on or make changes to this bug.