Re: [squid-users] Problem with ACL in access_log directive

From: Francis GASCHET <fg_at_numlog.fr>
Date: Wed, 22 Dec 2010 18:10:57 +0100

Thank you Amos, it works.
I just forgot that in the xxx_access directives the ACLs are ANDed !

Ciao!

--
Francis GASCHET / NUMLOG
http://www.numlog.fr
Tel.: +33 (0) 130 791 616
Fax.: +33 (0) 130 819 286
Le 12/22/2010 02:23 PM Amos Jeffries a écrit  :
> On 22/12/10 22:34, Francis GASCHET wrote:
>> Hello,
>>
>> We recently had to upgrade a proxy server from Debian 4 to Debian 5 and
>> installed Squid 2.7 :
>> #squid -v
>> Squid Cache: Version 2.7.STABLE3
>> configure options: '--prefix=/usr' '--exec_prefix=/usr'
>> '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
>> '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
>> '--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads'
>> '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter'
>> '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap'
>> '--enable-snmp' '--enable-delay-pools' '--enable-htcp'
>> '--enable-cache-digests' '--enable-underscores' '--enable-referer-log'
>> '--enable-useragent-log' '--enable-auth=basic,digest,ntlm,negotiate'
>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-carp'
>> '--enable-follow-x-forwarded-for' '--with-large-files'
>> '--with-maxfd=65536' 'i386-debian-linux' 'build_alias=i386-debian-linux'
>> 'host_alias=i386-debian-linux' 'target_alias=i386-debian-linux'
>> 'CFLAGS=-Wall -g -O2' 'LDFLAGS=' 'CPPFLAGS='
>>
>>
>> With Squid 2.6 we used multiple access_log directives, based on
>> different ACLs and it worked fine.
>> Since we installed the 2.7 version it looks broken : as soon as I put an
>> ACL, requests are no more logged. I tried with and without the module:
>> same result. i tried also the 2 syntaxes for net mask...
>> access_log stdio:/var/log/squid/access.log squid : this is OK (if
>> log_access is not defined)
>> access_log stdio:/var/log/squid/access.log squid NORD : this doesn't
>> work. Indeed the ACL NORD is declared and listed in log_access. No error
>> when I reload the configuration.
>>
>>
>> Thereafter is the configuration I would like to get running:
>> acl SUD src 192.168.3.0/24 192.168.192.0/24
>> acl NORD src 192.168.5.0/24 192.168.82.0/24
>> acl NML src 1.1.1.1/255.255.255.255
>> access_log stdio:/var/log/squid/sud.log squid SUD
>> access_log stdio:/var/log/squid/access.log squid NORD
>> access_log stdio:/var/log/squid/access.log squid NML
>> log_access allow SUD NORD NML
>
> The log_access line tells Squid to only log when the src IP is in all 
> three of the non-overlapping ranges.
>
> You need to write it:
>   log_access allow SUD
>   log_access allow NORD
>   log_access allow NML
>   log_access deny all
>
>
> Amos
Received on Wed Dec 22 2010 - 17:11:46 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 22 2010 - 12:00:03 MST