[squid-users] FATAL: invalid pct-encoded triplet
Amos Jeffries
squid3 at treenet.co.nz
Sun Feb 8 21:27:17 UTC 2026
On 08/02/2026 04:54, Andrea Venturoli wrote:
> On 2/6/26 04:16, Amos Jeffries wrote:
>
> Hello.
>
>
>
>> As the message says The ACL you have named "dns-mime-type" is being
>> checked when there is no HTTP Response. I assume from the name that it
>> needs the mime type, which comes from an HTTP Response header.
>>
>> Squid copes with these by assuming a mis-match or skipping the access
>> rule.
>>
>> This is a flaw in your security policy which you should fix, maybe
>> minor or maybe serious - hard to tell without full knowledge of that
>> policy and reasons for it.
>
> Thanks for pointing this out.
>
> I've got:
>> acl dns-query-url urlpath_regex ^/dns-query\??
>> acl doh_query_url urlpath_regex ^/resolve
ACL name typo? ('_' instead of '-')
>> acl dns-query-url urlpath_regex dns=
>> acl dns-req-message req_header Content-Type ^application/dns-message$
>> acl dns-mime-type rep_mime_type application/dns-message
>> acl dns-mime-type rep_mime_type text/dns
>> acl dns-mime-type rep_mime_type application/dns+json
>> acl doh any-of dns-query-url dns-req-message dns-mime-type
> > ...
>> http_access deny doh
>
> The whole point of this is to disallow DNS over HTTP and force any
> client to use the local DNS server (which is already hinted via DHCP and
> DNS).
> Is this snipped wrong?
> Any suggestion on how to fix it?
Remove "dns-mime-type" from the "doh" ACL, and do this:
http_access deny doh
http_reply_access deny dns-mime-type
HTH
Amos
More information about the squid-users
mailing list