Red Hat Bugzilla – Bug 17247
ACL dstdomain matching fails
Last modified: 2014-03-16 22:16:14 EDT
dstdomain matching does not work correctly. Given access granted to all,
save for one ACL (e.g.):
acl site0 dstdomain "/home/squid/site0"
http_access allow site0
http_access deny all
where the file site0 contains:
the first access through Squid will work correctly, but then any subsequent
accesses to any of these domains will work randomly around 30% of the time,
otherwise resulting in a 403 DENIED error. There appears to be no
predictability as to which domains will work and which won't.
This bug is addressed in Squid-2.3DEVEL3 and again in Squid-2.3STABLE2,
however neither fix the problem completely. The problem is still present in
Created attachment 3240 [details]
Sample squid.conf file
Problem was reported to squid-bugs mailing list on 23th August, no response as
Patch sent on sept. 19; I've gotten *zero* response.
I'm closing this.
Created attachment 3575 [details]
patch to fix this problem
Patch appears to fix problem; however it also appears to create other problems:
In the example above, after applying the patch, bayern.de and www.lbs-bayern.de
do not work (ie, obey the rules) when they should.
I can't reproduce that with this patch;
with the config supplied, www.lbs-bayern.de is allowed,
and bayern.de is (correctly) denied.
Here's another patch. squid was using one comparison
routine when adding entries to the tree, and another
when searching it. Not good.
Created attachment 5119 [details]
a second patch to solve the domain matching problems
After discussions with Bernd, it appears that the first patch is in
error. With just the second patch, it seems to work OK. This will
be fixed in squid-2.3.STABLE4-3, which will be in the next rawhide