On 08/02/2026 04:54, Andrea Venturoli wrote:
On 2/6/26 04:16, Amos Jeffries wrote:
Hello.
As the message says The ACL you have named "dns-mime-type" is being
checked when there is no HTTP Response. I assume from the name that it
needs the mime type, which comes from an HTTP Response header.
Squid copes with these by assuming a mis-match or skipping the access
rule.
This is a flaw in your security policy which you should fix, maybe
minor or maybe serious - hard to tell without full knowledge of that
policy and reasons for it.
Thanks for pointing this out.
I've got:
acl dns-query-url urlpath_regex ^/dns-query\??
acl doh_query_url urlpath_regex ^/resolve
ACL name typo? ('_' instead of '-')
acl dns-query-url urlpath_regex dns=
acl dns-req-message req_header Content-Type ^application/dns-message$
acl dns-mime-type rep_mime_type application/dns-message
acl dns-mime-type rep_mime_type text/dns
acl dns-mime-type rep_mime_type application/dns+json
acl doh any-of dns-query-url dns-req-message dns-mime-type
> ...
http_access deny doh
The whole point of this is to disallow DNS over HTTP and force any
client to use the local DNS server (which is already hinted via DHCP and
DNS).
Is this snipped wrong?
Any suggestion on how to fix it?
Remove "dns-mime-type" from the "doh" ACL, and do this:
http_access deny doh
http_reply_access deny dns-mime-type
HTH
Amos
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
