SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002848: SQUID/Dansguardian shows a Access Denied page when page not exists - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002848Endian FirewallProxy HTTPpublic2010-04-15 17:212011-02-01 15:13
Reporteralbaney 
Assigned Topeter-endian 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.3 
Target VersionfutureFixed in Version2.5 
Summary0002848: SQUID/Dansguardian shows a Access Denied page when page not exists
DescriptionWhen we try access a page with a explicit permission in access policy the Squid shows a page informing "The dnsserver returned: Name Error: The domain name does not exist."

However, our default policy is to use a Content Filter. When we try a page without the explicit permission the message is "Access Denied."
Tagspurple
Attached Files

- Relationships

-  Notes
(0004188)
albaney (reporter)
2010-04-28 18:58

Nothing?
(0004192)
luca-endian (developer)
2010-04-29 14:58

I agree, this is misleading message.
(0005397)
ardit-endian (developer)
2010-12-20 10:30

This happens with proxy set to non-transparent , when proxy is set to transparent the default browser message is displayed instead of the error "access denied" page.
(0005556)
peter-endian (administrator)
2011-01-31 12:08

found the cause of the issue, but no solution, yet:

our catch-all acls are these:

acl all src 0.0.0.0/0.0.0.0
acl from_all src 0.0.0.0/0.0.0.0
acl to_all dst 0.0.0.0/0.0.0.0

which match all, but only ip addresses.

in this case, we have a DNS resolving issue, so no ip address for the request.
those catch-alls need to match also when there is no ip address.
(0005557)
peter-endian (administrator)
2011-01-31 12:11

acl all dstdomain none

??
probably, let's try.
(0005575)
peter-endian (administrator)
2011-02-01 10:30

good to know.. a line in squid.conf:

debug_options ALL,1 33,2

or

debug_options ALL,1 33,2 28,9

makes squid log in cache.log *why* a request has been blocked

http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F [^]
(0005576)
peter-endian (administrator)
2011-02-01 10:53

this is the problem:

http_access allow from_localhost
[...]
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access deny from_all


squid does:

2011/02/01 11:33:47| aclCheck: checking 'http_access allow from_all to_all within_timeframe_rule1 '
2011/02/01 11:33:47| aclMatchAclList: checking from_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl from_all src 0.0.0.0/0.0.0.0'
2011/02/01 11:33:47| aclMatchIp: '192.168.11.55' found
2011/02/01 11:33:47| aclMatchAclList: checking to_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl to_all dst 0.0.0.0/0.0.0.0'
2011/02/01 11:33:47| aclMatchAclList: no match, returning 0


the to_all acl, is 0/0, but the request is no ip address in this case, but the unresolved domain.
(0005577)
peter-endian (administrator)
2011-02-01 11:09

adding a rule which allows every domain helps. don't know if this is the best solution however:

acl to_alldomains dstdom_regex .*

http_access allow from_localhost
[...]
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access allow from_all within_timeframe_rule1 to_alldomains
http_access deny from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access allow from_all to_all within_timeframe_rule1
http_reply_access allow from_all within_timeframe_rule1 to_alldomain
http_reply_access deny from_all
(0005580)
peter-endian (administrator)
2011-02-01 15:05

http_reply_access allow within_timeframe_rule1

instead of:

http_reply_access allow from_all within_timeframe_rule1 to_alldomain

is even better :)
thank's to suggestions on squid mailinglist

- Issue History
Date Modified Username Field Change
2010-04-15 17:21 albaney New Issue
2010-04-28 18:58 albaney Note Added: 0004188
2010-04-29 14:56 luca-endian Tag Attached: purple
2010-04-29 14:58 luca-endian Note Added: 0004192
2010-04-29 14:58 luca-endian Status new => confirmed
2010-05-10 09:14 peter-endian Target Version => future
2010-12-20 10:30 ardit-endian Note Added: 0005397
2011-01-31 10:54 ra-endian Customer Occurencies => 2-3
2011-01-31 12:08 peter-endian Note Added: 0005556
2011-01-31 12:11 peter-endian Note Added: 0005557
2011-02-01 10:30 peter-endian Note Added: 0005575
2011-02-01 10:53 peter-endian Note Added: 0005576
2011-02-01 11:09 peter-endian Note Added: 0005577
2011-02-01 15:05 peter-endian Note Added: 0005580
2011-02-01 15:09 lorenzo-endian Assigned To => peter-endian
2011-02-01 15:13 peter-endian Status confirmed => resolved
2011-02-01 15:13 peter-endian Fixed in Version => 2.5
2011-02-01 15:13 peter-endian Resolution open => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker