SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
Anonymous | Login | 2021-01-21 07:54 UTC | ![]() |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0002848 | Endian Firewall | Proxy HTTP | public | 2010-04-15 17:21 | 2011-02-01 15:13 | ||||
Reporter | albaney | ||||||||
Assigned To | peter-endian | ||||||||
Priority | normal | Severity | minor | Reproducibility | have not tried | ||||
Status | resolved | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 2.3 | ||||||||
Target Version | future | Fixed in Version | 2.5 | ||||||
Summary | 0002848: SQUID/Dansguardian shows a Access Denied page when page not exists | ||||||||
Description | When we try access a page with a explicit permission in access policy the Squid shows a page informing "The dnsserver returned: Name Error: The domain name does not exist." However, our default policy is to use a Content Filter. When we try a page without the explicit permission the message is "Access Denied." | ||||||||
Tags | purple | ||||||||
Attached Files | |||||||||
![]() |
|
(0004188) albaney (reporter) 2010-04-28 18:58 |
Nothing? |
(0004192) luca-endian (developer) 2010-04-29 14:58 |
I agree, this is misleading message. |
(0005397) ardit-endian (developer) 2010-12-20 10:30 |
This happens with proxy set to non-transparent , when proxy is set to transparent the default browser message is displayed instead of the error "access denied" page. |
(0005556) peter-endian (administrator) 2011-01-31 12:08 |
found the cause of the issue, but no solution, yet: our catch-all acls are these: acl all src 0.0.0.0/0.0.0.0 acl from_all src 0.0.0.0/0.0.0.0 acl to_all dst 0.0.0.0/0.0.0.0 which match all, but only ip addresses. in this case, we have a DNS resolving issue, so no ip address for the request. those catch-alls need to match also when there is no ip address. |
(0005557) peter-endian (administrator) 2011-01-31 12:11 |
acl all dstdomain none ?? probably, let's try. |
(0005575) peter-endian (administrator) 2011-02-01 10:30 |
good to know.. a line in squid.conf: debug_options ALL,1 33,2 or debug_options ALL,1 33,2 28,9 makes squid log in cache.log *why* a request has been blocked http://wiki.squid-cache.org/SquidFaq/SquidAcl#I_set_up_my_access_controls.2C_but_they_don.27t_work.21__why.3F [^] |
(0005576) peter-endian (administrator) 2011-02-01 10:53 |
this is the problem: http_access allow from_localhost [...] http_access allow from_all to_rule0 within_timeframe_rule0 http_access allow from_all to_all within_timeframe_rule1 http_access deny from_all squid does: 2011/02/01 11:33:47| aclCheck: checking 'http_access allow from_all to_all within_timeframe_rule1 ' 2011/02/01 11:33:47| aclMatchAclList: checking from_all 2011/02/01 11:33:47| aclMatchAcl: checking 'acl from_all src 0.0.0.0/0.0.0.0' 2011/02/01 11:33:47| aclMatchIp: '192.168.11.55' found 2011/02/01 11:33:47| aclMatchAclList: checking to_all 2011/02/01 11:33:47| aclMatchAcl: checking 'acl to_all dst 0.0.0.0/0.0.0.0' 2011/02/01 11:33:47| aclMatchAclList: no match, returning 0 the to_all acl, is 0/0, but the request is no ip address in this case, but the unresolved domain. |
(0005577) peter-endian (administrator) 2011-02-01 11:09 |
adding a rule which allows every domain helps. don't know if this is the best solution however: acl to_alldomains dstdom_regex .* http_access allow from_localhost [...] http_access allow from_all to_rule0 within_timeframe_rule0 http_access allow from_all to_all within_timeframe_rule1 http_access allow from_all within_timeframe_rule1 to_alldomains http_access deny from_all # http reply access rules http_reply_access allow from_localhost http_reply_access allow from_all to_all within_timeframe_rule1 http_reply_access allow from_all within_timeframe_rule1 to_alldomain http_reply_access deny from_all |
(0005580) peter-endian (administrator) 2011-02-01 15:05 |
http_reply_access allow within_timeframe_rule1 instead of: http_reply_access allow from_all within_timeframe_rule1 to_alldomain is even better :) thank's to suggestions on squid mailinglist |
![]() |
|||
Date Modified | Username | Field | Change |
2010-04-15 17:21 | albaney | New Issue | |
2010-04-28 18:58 | albaney | Note Added: 0004188 | |
2010-04-29 14:56 | luca-endian | Tag Attached: purple | |
2010-04-29 14:58 | luca-endian | Note Added: 0004192 | |
2010-04-29 14:58 | luca-endian | Status | new => confirmed |
2010-05-10 09:14 | peter-endian | Target Version | => future |
2010-12-20 10:30 | ardit-endian | Note Added: 0005397 | |
2011-01-31 10:54 | ra-endian | Customer Occurencies | => 2-3 |
2011-01-31 12:08 | peter-endian | Note Added: 0005556 | |
2011-01-31 12:11 | peter-endian | Note Added: 0005557 | |
2011-02-01 10:30 | peter-endian | Note Added: 0005575 | |
2011-02-01 10:53 | peter-endian | Note Added: 0005576 | |
2011-02-01 11:09 | peter-endian | Note Added: 0005577 | |
2011-02-01 15:05 | peter-endian | Note Added: 0005580 | |
2011-02-01 15:09 | lorenzo-endian | Assigned To | => peter-endian |
2011-02-01 15:13 | peter-endian | Status | confirmed => resolved |
2011-02-01 15:13 | peter-endian | Fixed in Version | => 2.5 |
2011-02-01 15:13 | peter-endian | Resolution | open => fixed |
Copyright © 2000 - 2012 MantisBT Group |