Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002848Endian FirewallProxy HTTPpublic2010-04-15 19:212011-02-01 16:13
Reporteralbaney 
Assigned Topeter-endian 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.3 
Target VersionfutureFixed in Version2.5 
Summary0002848: SQUID/Dansguardian shows a Access Denied page when page not exists
DescriptionWhen we try access a page with a explicit permission in access policy the Squid shows a page informing "The dnsserver returned: Name Error: The domain name does not exist."

However, our default policy is to use a Content Filter. When we try a page without the explicit permission the message is "Access Denied."
Tagspurple
Attached Files

- Relationships

-  Notes
(0004188)
albaney (reporter)
2010-04-28 20:58

Nothing?
(0004192)
luca-endian (developer)
2010-04-29 16:58

I agree, this is misleading message.
(0005397)
ardit-endian (developer)
2010-12-20 11:30

This happens with proxy set to non-transparent , when proxy is set to transparent the default browser message is displayed instead of the error "access denied" page.
(0005556)
peter-endian (administrator)
2011-01-31 13:08

found the cause of the issue, but no solution, yet:

our catch-all acls are these:

acl all src 0.0.0.0/0.0.0.0
acl from_all src 0.0.0.0/0.0.0.0
acl to_all dst 0.0.0.0/0.0.0.0

which match all, but only ip addresses.

in this case, we have a DNS resolving issue, so no ip address for the request.
those catch-alls need to match also when there is no ip address.
(0005557)
peter-endian (administrator)
2011-01-31 13:11

acl all dstdomain none

??
probably, let's try.
(0005575)
peter-endian (administrator)
2011-02-01 11:30

good to know.. a line in squid.conf:

debug_options ALL,1 33,2

or

debug_options ALL,1 33,2 28,9

makes squid log in cache.log *why* a request has been blocked

http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F [^]
(0005576)
peter-endian (administrator)
2011-02-01 11:53

this is the problem:

http_access allow from_localhost
[...]
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access deny from_all


squid does:

2011/02/01 11:33:47| aclCheck: checking 'http_access allow from_all to_all within_timeframe_rule1 '
2011/02/01 11:33:47| aclMatchAclList: checking from_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl from_all src 0.0.0.0/0.0.0.0'
2011/02/01 11:33:47| aclMatchIp: '192.168.11.55' found
2011/02/01 11:33:47| aclMatchAclList: checking to_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl to_all dst 0.0.0.0/0.0.0.0'
2011/02/01 11:33:47| aclMatchAclList: no match, returning 0


the to_all acl, is 0/0, but the request is no ip address in this case, but the unresolved domain.
(0005577)
peter-endian (administrator)
2011-02-01 12:09

adding a rule which allows every domain helps. don't know if this is the best solution however:

acl to_alldomains dstdom_regex .*

http_access allow from_localhost
[...]
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access allow from_all within_timeframe_rule1 to_alldomains
http_access deny from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access allow from_all to_all within_timeframe_rule1
http_reply_access allow from_all within_timeframe_rule1 to_alldomain
http_reply_access deny from_all
(0005580)
peter-endian (administrator)
2011-02-01 16:05

http_reply_access allow within_timeframe_rule1

instead of:

http_reply_access allow from_all within_timeframe_rule1 to_alldomain

is even better :)
thank's to suggestions on squid mailinglist

- Issue History
Date Modified Username Field Change
2010-04-15 19:21 albaney New Issue
2010-04-28 20:58 albaney Note Added: 0004188
2010-04-29 16:56 luca-endian Tag Attached: purple
2010-04-29 16:58 luca-endian Note Added: 0004192
2010-04-29 16:58 luca-endian Status new => confirmed
2010-05-10 11:14 peter-endian Target Version => future
2010-12-20 11:30 ardit-endian Note Added: 0005397
2011-01-31 11:54 ra-endian Customer Occurencies => 2-3
2011-01-31 13:08 peter-endian Note Added: 0005556
2011-01-31 13:11 peter-endian Note Added: 0005557
2011-02-01 11:30 peter-endian Note Added: 0005575
2011-02-01 11:53 peter-endian Note Added: 0005576
2011-02-01 12:09 peter-endian Note Added: 0005577
2011-02-01 16:05 peter-endian Note Added: 0005580
2011-02-01 16:09 lorenzo-endian Assigned To => peter-endian
2011-02-01 16:13 peter-endian Status confirmed => resolved
2011-02-01 16:13 peter-endian Fixed in Version => 2.5
2011-02-01 16:13 peter-endian Resolution open => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker