wheezy squid 3.1.20-2.2 external_type_acl
порет чушь, похоже на баг, но не могу найти подобного
правила в конфиге:
external_acl_type auth_helper ttl=2 %SRC %DST /etc/squid3/python/1.sh acl IP external auth_helper IP acl A src X.X.X.X http_access allow IP http_access deny all
внешний хелпер был заменен на простой баш-скрипт, на любой запрос выдает OK
все работает ровно до тех пор, пока не придет время сквиду сделать очередной запрос к внешнему скрипту, и тогда происходит следующее:
2014/06/04 00:26:18.158| ACLChecklist::preCheck: 0x7ffe36f530b8 checking 'http_access allow IP' 2014/06/04 00:26:18.158| ACLList::matches: checking IP 2014/06/04 00:26:18.158| ACL::checklistMatches: checking 'IP' 2014/06/04 00:26:18.158| aclMatchExternal: acl=«auth_helper» 2014/06/04 00:26:18.158| aclMatchExternal: auth_helper(«X.X.X.X http://www.hulu.com IP») = lookup needed 2014/06/04 00:26:18.158| aclMatchExternal: «X.X.X.X http://www.hulu.com IP»: entry=@0x7ffe36f2cb28, age=2 2014/06/04 00:26:18.158| aclMatchExternal: «X.X.X.X http://www.hulu.com IP»: queueing a call. 2014/06/04 00:26:18.158| aclMatchExternal: «X.X.X.X http://www.hulu.com IP»: return -1. 2014/06/04 00:26:18.158| ACL::ChecklistMatches: result for 'IP' is -1 2014/06/04 00:26:18.158| ACLList::matches: result is false 2014/06/04 00:26:18.158| aclmatchAclList: 0x7ffe36f530b8 returning false (AND list entry failed to match) 2014/06/04 00:26:18.158| ACL::FindByName 'IP' 2014/06/04 00:26:18.158| ACLChecklist::asyncInProgress: 0x7ffe36f530b8 async set to 1 2014/06/04 00:26:18.158| externalAclLookup: lookup in 'auth_helper' for 'X.X.X.X http://www.hulu.com IP' 2014/06/04 00:26:18.158| externalAclLookup: looking up for 'X.X.X.X http://www.hulu.com IP' in 'auth_helper'. 2014/06/04 00:26:18.158| externalAclLookup: no need to wait for the result of 'X.X.X.X http://www.hulu.com IP' in 'auth_helper' (ch=0x7ffe36f530b8). 2014/06/04 00:26:18.158| externalAclLookup: using cached entry 0x7ffe36f2cb28 2014/06/04 00:26:18.158| externalAclLookup: entry = { date=1401855976, result=1, user= tag= log= } 2014/06/04 00:26:18.158| ACLChecklist::asyncInProgress: 0x7ffe36f530b8 async set to 0 2014/06/04 00:26:18.158| aclmatchAclList: async=1 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2014/06/04 00:26:18.158| ACLChecklist::preCheck: 0x7ffe36f530b8 checking 'http_access deny all' 2014/06/04 00:26:18.158| ACLList::matches: checking all 2014/06/04 00:26:18.158| ACL::checklistMatches: checking 'all' 2014/06/04 00:26:18.158| aclIpAddrNetworkCompare: compare: X.X.X.X:35387/[::] ([::]:35387) vs [::]-[::]/[::] 2014/06/04 00:26:18.158| aclIpMatchIp: 'X.X.X.X:35387' found 2014/06/04 00:26:18.158| ACL::ChecklistMatches: result for 'all' is 1 2014/06/04 00:26:18.158| ACLList::matches: result is true 2014/06/04 00:26:18.158| aclmatchAclList: 0x7ffe36f530b8 returning true (AND list satisfied) 2014/06/04 00:26:18.158| ACLChecklist::markFinished: 0x7ffe36f530b8 checklist processing finished 2014/06/04 00:26:18.158| ACLChecklist::check: 0x7ffe36f530b8 match found, calling back with 0 2014/06/04 00:26:18.158| ACLFilledChecklist::checkCallback: 0x7ffe36f530b8 answer=0 2014/06/04 00:26:18.158| ACLChecklist::checkCallback: 0x7ffe36f530b8 answer=0
Как видим, забил он на внешний acl и отработал http_access deny all. Клиент получил TCP_DENIED/403. Я его не понимаю...