dstdomain matching does not work correctly. Given access granted to all, save for one ACL (e.g.): acl site0 dstdomain "/home/squid/site0" http_access allow site0 http_access deny all where the file site0 contains: www.lbs-bayern.de www.sparkassenverband-bayern.de www.bayern.de the first access through Squid will work correctly, but then any subsequent accesses to any of these domains will work randomly around 30% of the time, otherwise resulting in a 403 DENIED error. There appears to be no predictability as to which domains will work and which won't. This bug is addressed in Squid-2.3DEVEL3 and again in Squid-2.3STABLE2, however neither fix the problem completely. The problem is still present in Squid-2.3STABLE4.
Created attachment 3240 [details] Sample squid.conf file
Problem was reported to squid-bugs mailing list on 23th August, no response as yet!
Patch sent on sept. 19; I've gotten *zero* response. I'm closing this.
Created attachment 3575 [details] patch to fix this problem
Patch appears to fix problem; however it also appears to create other problems: In the example above, after applying the patch, bayern.de and www.lbs-bayern.de do not work (ie, obey the rules) when they should.
I can't reproduce that with this patch; with the config supplied, www.lbs-bayern.de is allowed, and bayern.de is (correctly) denied.
Here's another patch. squid was using one comparison routine when adding entries to the tree, and another when searching it. Not good.
Created attachment 5119 [details] a second patch to solve the domain matching problems
After discussions with Bernd, it appears that the first patch is in error. With just the second patch, it seems to work OK. This will be fixed in squid-2.3.STABLE4-3, which will be in the next rawhide release.