Re: [squid-users] deny_info

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 May 2011 16:03:43 +1200

 On Mon, 9 May 2011 23:24:50 -0400, Carlos Manuel Trepeu Pupo wrote:
> 2011/5/9 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On Mon, 9 May 2011 13:07:50 -0400, Carlos Manuel Trepeu Pupo wrote:
>>>
>>> Hi, I'm now using deny_info to personalize the error pages. I have
>>> installed Squid 3.0 STABLE1 (I know it's an old version). Here is
>>> an
>>
>> So why for the sake of 6 *major* security vulnerabilities did you do
>> that?
>> http://www.squid-cache.org/Advisories
>
> I'm making test for all the new thing I will implement, so, when all
> work fine I'll make the change !!!

 There is a deep problem with that approach... Squid changes over time.
 Both in capabilities and in problems present.

 You are extremely likely to hit problems with 3.0.STABLE1 which are
 resolved years ago (these security vulnerabilities just being the worst
 nasty ones), and face completely new problems with the newer version.
 Please pick the version you are going to roll out and test for problems
 with *that* version.

  If your testing and QA takes a long time, all the more reason to pick
 a very recent release when you start the process. It will age as you go,
 we are more likely to fix problems fast and sometimes can lend
 assistance to get it more stable by the time your testing completes.
 Saving you time spent "fixing" a problem only to be told it was fixed
 already in some version months ago.

>>
>>> example of my squid.conf:
>>>
>>> acl ext url_regex -i \.exe$
>>> acl ip src 192.168.10.10
>>> acl max maxconn 1
>>> http_access deny ip ext max
>>> # I already create the page in the directory's errors pages.
>>> deny_info ERR_EXT_PAGE max
>>> http_access allow !maxconn
>>>
>>> The problem is that the page that show me it the default of denied
>>> and
>>> not the mine. What's wrong and how could I fixed ?
>>
>> Are you sure its being denied by "deny ip ext max"?
>
> yes that's the unique http_access that work with this acl.

 I mean is the cache.log level "debug_options 28,9" is saying there was
 a match on that line? (it will also tell you what deny_info it loaded).

>
> I make a few test and this is the result:
>
> #THIS NOT WORK
> acl ext url_regex -i \.exe$
> acl ip src 192.168.10.10
> acl max maxconn 1
> http_access deny ip ext max
> # I already create the page in the directory's errors pages.
> deny_info ERR_EXT_PAGE max
> http_access allow !max
>
> #THIS WORK
> acl ext url_regex -i \.exe$
> acl ip src 192.168.10.10
> acl max maxconn 1
> http_access deny max
> # I already create the page in the directory's errors pages.
> deny_info ERR_EXT_PAGE max
> http_access allow !max
>
> The difference it's that the "http_access deny" only have an argument
> my ACL, but if I combine it, then do not show me the PAGE that I
> created. There any way to solve that?

 Either the test URL does not end with ".exe" or the IP address making
 TCP connection to Squid is not 192.168.10.10.

 maxconn is linked to the individual IP making the request, so you don't
 have to specify that unless you want it to only limit certain sources.

 Amos
Received on Tue May 10 2011 - 04:03:48 MDT

This archive was generated by hypermail 2.2.0 : Tue May 10 2011 - 12:00:02 MDT