SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002848: SQUID/Dansguardian shows a Access Denied page when page not exists - MantisBT
MantisBT - Endian Firewall
View Issue Details
0002848Endian FirewallProxy HTTPpublic2010-04-15 17:212011-02-01 15:13
albaney 
peter-endian 
normalminorhave not tried
resolvedfixed 
2.3 
future2.5 
0002848: SQUID/Dansguardian shows a Access Denied page when page not exists
When we try access a page with a explicit permission in access policy the Squid shows a page informing "The dnsserver returned: Name Error: The domain name does not exist."

However, our default policy is to use a Content Filter. When we try a page without the explicit permission the message is "Access Denied."
purple
Issue History
2010-04-15 17:21albaneyNew Issue
2010-04-28 18:58albaneyNote Added: 0004188
2010-04-29 14:56luca-endianTag Attached: purple
2010-04-29 14:58luca-endianNote Added: 0004192
2010-04-29 14:58luca-endianStatusnew => confirmed
2010-05-10 09:14peter-endianTarget Version => future
2010-12-20 10:30ardit-endianNote Added: 0005397
2011-01-31 10:54ra-endianCustomer Occurencies => 2-3
2011-01-31 12:08peter-endianNote Added: 0005556
2011-01-31 12:11peter-endianNote Added: 0005557
2011-02-01 10:30peter-endianNote Added: 0005575
2011-02-01 10:53peter-endianNote Added: 0005576
2011-02-01 11:09peter-endianNote Added: 0005577
2011-02-01 15:05peter-endianNote Added: 0005580
2011-02-01 15:09lorenzo-endianAssigned To => peter-endian
2011-02-01 15:13peter-endianStatusconfirmed => resolved
2011-02-01 15:13peter-endianFixed in Version => 2.5
2011-02-01 15:13peter-endianResolutionopen => fixed

Notes
(0004188)
albaney   
2010-04-28 18:58   
Nothing?
(0004192)
luca-endian   
2010-04-29 14:58   
I agree, this is misleading message.
(0005397)
ardit-endian   
2010-12-20 10:30   
This happens with proxy set to non-transparent , when proxy is set to transparent the default browser message is displayed instead of the error "access denied" page.
(0005556)
peter-endian   
2011-01-31 12:08   
found the cause of the issue, but no solution, yet:

our catch-all acls are these:

acl all src 0.0.0.0/0.0.0.0
acl from_all src 0.0.0.0/0.0.0.0
acl to_all dst 0.0.0.0/0.0.0.0

which match all, but only ip addresses.

in this case, we have a DNS resolving issue, so no ip address for the request.
those catch-alls need to match also when there is no ip address.
(0005557)
peter-endian   
2011-01-31 12:11   
acl all dstdomain none

??
probably, let's try.
(0005575)
peter-endian   
2011-02-01 10:30   
good to know.. a line in squid.conf:

debug_options ALL,1 33,2

or

debug_options ALL,1 33,2 28,9

makes squid log in cache.log *why* a request has been blocked

http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F [^]
(0005576)
peter-endian   
2011-02-01 10:53   
this is the problem:

http_access allow from_localhost
[...]
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access deny from_all


squid does:

2011/02/01 11:33:47| aclCheck: checking 'http_access allow from_all to_all within_timeframe_rule1 '
2011/02/01 11:33:47| aclMatchAclList: checking from_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl from_all src 0.0.0.0/0.0.0.0'
2011/02/01 11:33:47| aclMatchIp: '192.168.11.55' found
2011/02/01 11:33:47| aclMatchAclList: checking to_all
2011/02/01 11:33:47| aclMatchAcl: checking 'acl to_all dst 0.0.0.0/0.0.0.0'
2011/02/01 11:33:47| aclMatchAclList: no match, returning 0


the to_all acl, is 0/0, but the request is no ip address in this case, but the unresolved domain.
(0005577)
peter-endian   
2011-02-01 11:09   
adding a rule which allows every domain helps. don't know if this is the best solution however:

acl to_alldomains dstdom_regex .*

http_access allow from_localhost
[...]
http_access allow from_all to_rule0 within_timeframe_rule0
http_access allow from_all to_all within_timeframe_rule1
http_access allow from_all within_timeframe_rule1 to_alldomains
http_access deny from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access allow from_all to_all within_timeframe_rule1
http_reply_access allow from_all within_timeframe_rule1 to_alldomain
http_reply_access deny from_all
(0005580)
peter-endian   
2011-02-01 15:05   
http_reply_access allow within_timeframe_rule1

instead of:

http_reply_access allow from_all within_timeframe_rule1 to_alldomain

is even better :)
thank's to suggestions on squid mailinglist