SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002848: SQUID/Dansguardian shows a Access Denied page when page not exists - MantisBT Endian Bugtracker
Endian Issue Tracker

Please see now our new Bugtracker system: JIRA

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002848Endian FirewallProxy HTTPpublic2010-04-15 17:212011-02-01 15:13
Assigned Topeter-endian 
PrioritynormalSeverityminorReproducibilityhave not tried
PlatformOSOS Version
Product Version2.3 
Target VersionfutureFixed in Version2.5 
Summary0002848: SQUID/Dansguardian shows a Access Denied page when page not exists
DescriptionWhen we try access a page with a explicit permission in access policy the Squid shows a page informing "The dnsserver returned: Name Error: The domain name does not exist."

However, our default policy is to use a Content Filter. When we try a page without the explicit permission the message is "Access Denied."
Attached Files

- Relationships

-  Notes
albaney (reporter)
2010-04-28 18:58

luca-endian (developer)
2010-04-29 14:58

I agree, this is misleading message.
ardit-endian (developer)
2010-12-20 10:30

This happens with proxy set to non-transparent , when proxy is set to transparent the default browser message is displayed instead of the error "access denied" page.
peter-endian (administrator)
2011-01-31 12:08

found the cause of the issue, but no solution, yet:

our catch-all acls are these:

acl all src
acl from_all src
acl to_all dst

which match all, but only ip addresses.

in this case, we have a DNS resolving issue, so no ip address for the request.
those catch-alls need to match also when there is no ip address.
peter-endian (administrator)
2011-01-31 12:11

acl all dstdomain none

probably, let's try.
peter-endian (administrator)
2011-02-01 10:30

good to know.. a line in squid.conf:

debug_options ALL,1 33,2


debug_options ALL,1 33,2 28,9

makes squid log in cache.log *why* a request has been blocked [^]
peter-endian (administrator)
2011-02-01 10:53

this is the problem:

http_access allow from_localhost
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access deny from_all

squid does:

2011/02/01 11:33:47| aclCheck: checking 'http_access allow from_all to_all within_timeframe_rule1 '
2011/02/01 11:33:47| aclMatchAclList: checking from_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl from_all src'
2011/02/01 11:33:47| aclMatchIp: '' found
2011/02/01 11:33:47| aclMatchAclList: checking to_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl to_all dst'
2011/02/01 11:33:47| aclMatchAclList: no match, returning 0

the to_all acl, is 0/0, but the request is no ip address in this case, but the unresolved domain.
peter-endian (administrator)
2011-02-01 11:09

adding a rule which allows every domain helps. don't know if this is the best solution however:

acl to_alldomains dstdom_regex .*

http_access allow from_localhost
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access allow from_all within_timeframe_rule1 to_alldomains
http_access deny from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access allow from_all to_all within_timeframe_rule1
http_reply_access allow from_all within_timeframe_rule1 to_alldomain
http_reply_access deny from_all
peter-endian (administrator)
2011-02-01 15:05

http_reply_access allow within_timeframe_rule1

instead of:

http_reply_access allow from_all within_timeframe_rule1 to_alldomain

is even better :)
thank's to suggestions on squid mailinglist

- Issue History
Date Modified Username Field Change
2010-04-15 17:21 albaney New Issue
2010-04-28 18:58 albaney Note Added: 0004188
2010-04-29 14:56 luca-endian Tag Attached: purple
2010-04-29 14:58 luca-endian Note Added: 0004192
2010-04-29 14:58 luca-endian Status new => confirmed
2010-05-10 09:14 peter-endian Target Version => future
2010-12-20 10:30 ardit-endian Note Added: 0005397
2011-01-31 10:54 ra-endian Customer Occurencies => 2-3
2011-01-31 12:08 peter-endian Note Added: 0005556
2011-01-31 12:11 peter-endian Note Added: 0005557
2011-02-01 10:30 peter-endian Note Added: 0005575
2011-02-01 10:53 peter-endian Note Added: 0005576
2011-02-01 11:09 peter-endian Note Added: 0005577
2011-02-01 15:05 peter-endian Note Added: 0005580
2011-02-01 15:09 lorenzo-endian Assigned To => peter-endian
2011-02-01 15:13 peter-endian Status confirmed => resolved
2011-02-01 15:13 peter-endian Fixed in Version => 2.5
2011-02-01 15:13 peter-endian Resolution open => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker