On Tue, 2013-07-16 at 09:31 -0400, Michael Graham wrote:
> On Tue, 2013-07-16 at 23:30 +1200, Amos Jeffries wrote:
> > Does the X-Forwarded-For header actually contain an IP from the
> > 172.21.120.0/24 subnet (and not some IPv6 address from that subnets
> > IPv6 ranges).
>
> Yeah it seems to be:
>
> GET http://www.google.com/ HTTP/1.1
> Accept: */*
> Host: www.google.com
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7
> OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Via: 1.1 cake-icap (squid/3.3.6)
> X-Forwarded-For: 172.21.120.23
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> > Also, re-check this after fixing the follow_x_forwarded_for trust
> > ACLs. That may be affecting the results.
>
> I've went back to the original lines:
>
> acl localsrc src 127.0.0.1
> follow_x_forwarded_for allow localsrc
>
> Here is the output from debug_options ALL,1 17,9 28,9 when I make a
> request:
>
> 2013/07/16 14:27:53.773 kid1| Acl.cc(345) matches: ACLList::matches:
> checking forwardTrafficSubnet1
> 2013/07/16 14:27:53.773 kid1| Acl.cc(326) checklistMatches:
> ACL::checklistMatches: checking 'forwardTrafficSubnet1'
> 2013/07/16 14:27:53.773 kid1| Ip.cc(134) aclIpAddrNetworkCompare:
> aclIpAddrNetworkCompare: compare:
> 172.21.120.23/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00] (172.21.120.0)
> vs 172.21.120.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00]
> 2013/07/16 14:27:53.773 kid1| Ip.cc(560) match: aclIpMatchIp:
> '172.21.120.23' found
> 2013/07/16 14:27:53.773 kid1| Acl.cc(328) checklistMatches:
> ACL::ChecklistMatches: result for 'forwardTrafficSubnet1' is 1
> 2013/07/16 14:27:53.773 kid1| Acl.cc(349) matches: forwardTrafficSubnet1
> matched.
> 2013/07/16 14:27:53.773 kid1| Acl.cc(363) matches: forwardTrafficSubnet1
> result is true
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(275) matchNode: 0x1d8afd8
> matched=1 async=0 finished=0
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(260) matchNodes: 0x1d8afd8
> success: all ACLs matched
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(146) markFinished: 0x1d8afd8
> answer DENIED for first matching rule won
> 2013/07/16 14:27:53.773 kid1| Checklist.cc(88) matchNonBlocking:
> ACLChecklist::check: 0x1d8afd8 match found, calling back with DENIED
>
> I don't know why is says that the rule matched but that it is returning
> DENIED.
>
> Cheers,
Hi again,
I wonder if anyone has any ideas on this one, at the moment this just
doesn't seem to work.
Cheers,
-- Michael Graham <mgraham_at_bloxx.com>Received on Wed Jul 17 2013 - 17:51:02 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 18 2013 - 12:00:23 MDT