[squid-users] Cannot select peer when request is IP address from Stephen Borrill on 2013-11-29 (squid-users)

From: Stephen Borrill <squid_at_borrill.org.uk>
Date: Fri, 29 Nov 2013 16:03:18 +0000

I've found a problem with selecting a parent cache if the request is an
IP address. Tested with various versions including 3.3.10. Example
config fragment is below:

cache_peer 192.168.1.143 parent 3128 0 no-query no-digest default name=prox1
cache_peer 192.168.1.144 parent 3128 0 no-query no-digest name=prox2
never_direct allow all
acl domlist dstdomain -n .bbc.co.uk

cache_peer_access prox1 deny domlist
cache_peer_access prox2 allow domlist
cache_peer_access prox1 allow all
cache_peer_access prox2 deny all

Idea is that the parent cache will be selected on the basis of
dstdomain. However, if the request is for, say, http://123.234.123.234/
HIER_NONE is returned. Selection works as expected if a domain is given.
Edited access log entries below:

TCP_MISS/500 1716 GET http://123.234.123.234/ - HIER_NONE/- text/html
TCP_MISS/200 56303 GET http://www.cam.ac.uk/ -
FIRSTUP_PARENT/192.168.1.143 text/html
TCP_MISS/200 126090 GET http://www.bbc.co.uk/ -
FIRSTUP_PARENT/192.168.1.144 text/html

Problem appears to be that IP address URLs bypass the 'all' acl checks.

Non-working parent selection:
Acl.cc(336) matches: ACLList::matches: checking domlist
Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'domlist'
DomainData.cc(131) match: aclMatchDomainList: checking '123.234.123.234'
DomainData.cc(135) match: aclMatchDomainList: '123.234.123.234' NOT found
ipcache.cc(960) ipcacheCheckNumeric: ipcacheCheckNumeric: HIT_BYPASS for
'123.234.123.234' == 123.234.123.234
fqdncache.cc(540) fqdncache_nbgethostbyaddr: fqdncache_nbgethostbyaddr:
Name '123.234.123.234'.
fqdncache.cc(578) fqdncache_nbgethostbyaddr: fqdncache_nbgethostbyaddr:
MISS for '123.234.123.234'
dns_internal.cc(1769) idnsPTRLookup: idnsPTRLookup: buf is 46 bytes for
123.234.123.234, id = 0x6f78
comm.cc(1197) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP
packet to 127.0.0.1:53 using FD 7 using Port 64333
DestinationDomain.cc(109) match: aclMatchAcl: Can't yet compare
'domlist' ACL for '123.234.123.234'
Acl.cc(346) matches: domlist needs async lookup
Acl.cc(354) matches: domlist result is false
neighbors.cc(299) getFirstUpParent: getFirstUpParent: returning NULL

Working parent selection:
Acl.cc(336) matches: ACLList::matches: checking domlist
Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'domlist'
DomainData.cc(131) match: aclMatchDomainList: checking 'www.cam.ac.uk'
DomainData.cc(135) match: aclMatchDomainList: 'www.cam.ac.uk' NOT found
Acl.cc(349) matches: domlist mismatched.
Acl.cc(354) matches: domlist result is false
Acl.cc(336) matches: ACLList::matches: checking all
Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'all'
Ip.cc(134) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare:
127.0.0.1:57674/[::] ([::]:57674) vs [::]-[::]/[::]
Ip.cc(560) match: aclIpMatchIp: '127.0.0.1:57674' found
Acl.cc(340) matches: all matched.
Acl.cc(354) matches: all result is true
neighbors.cc(1143) neighborUp: neighborUp: UP (no-query): 192.168.1.143
(192.168.1.143)
neighbors.cc(299) getFirstUpParent: getFirstUpParent: returning
192.168.1.143
peer_select.cc(702) peerGetSomeParent: peerSelect:
FIRSTUP_PARENT/192.168.1.143
peer_select.cc(935) peerAddFwdServer: peerAddFwdServer: adding
192.168.1.143 FIRSTUP_PARENT

-- 
Stephen

Received on Fri Nov 29 2013 - 16:03:08 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 30 2013 - 12:00:05 MST