[squid-users] FATAL: invalid pct-encoded triplet

Andrea Venturoli ml at netfence.it
Sat Feb 7 15:54:16 UTC 2026

Previous message (by thread): [squid-users] FATAL: invalid pct-encoded triplet
Next message (by thread): [squid-users] FATAL: invalid pct-encoded triplet
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/6/26 04:16, Amos Jeffries wrote:

Hello.



> As the message says The ACL you have named "dns-mime-type" is being 
> checked when there is no HTTP Response. I assume from the name that it 
> needs the mime type, which comes from an HTTP Response header.
> 
> Squid copes with these by assuming a mis-match or skipping the access rule.
> 
> This is a flaw in your security policy which you should fix, maybe minor 
> or maybe serious - hard to tell without full knowledge of that policy 
> and reasons for it.

Thanks for pointing this out.

I've got:
> acl dns-query-url urlpath_regex ^/dns-query\??
> acl doh_query_url urlpath_regex ^/resolve
> acl dns-query-url urlpath_regex dns=
> acl dns-req-message req_header Content-Type ^application/dns-message$
> acl dns-mime-type rep_mime_type application/dns-message
> acl dns-mime-type rep_mime_type text/dns
> acl dns-mime-type rep_mime_type application/dns+json
> acl doh any-of dns-query-url dns-req-message dns-mime-type
 > ...
> http_access deny doh

The whole point of this is to disallow DNS over HTTP and force any 
client to use the local DNS server (which is already hinted via DHCP and 
DNS).
Is this snipped wrong?
Any suggestion on how to fix it?

  bye & Thanks
	av.

Previous message (by thread): [squid-users] FATAL: invalid pct-encoded triplet
Next message (by thread): [squid-users] FATAL: invalid pct-encoded triplet
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list