RE: proposed change to 'pattern' ACL

From: Paul Borgermans <pborgerm@dont-contact.us>
Date: Mon, 19 Aug 1996 18:48:42 +-200

I also think it is better to leave the pattern acl tag unchanged;

1)but why not allow regexp for srcdomain instead of the now implemented
completion approach (speaking for the 1.1alpha9)?

To my experience and needs, this would allow all the kinds of filtering
I think people may ask for:

#--------somewhere in the squid.conf
#PATH filtering
acl porn_stuff pattern sex pussy .... #this can be a long list
#HOST filtering
acl porn_sites srcdomain sex pussy .....#this can be a long list too

http_access deny porn_stuff
http_access deny porn_sites

#------------------------end of hypothetical example (would not
# filter too much as URL's dont guarantee the content)

A *new* acl tag with regexp for the whole URL is of course a
useful extension, but would be limited to things like the above.

2)The acl pattern tag is also very useful to make the squid cache
operating within an intranet without breaking the security for
internal WWW servers (or part of) in the case you want to let your
cache fit into a (external) hierarchy:

to filter a certain part of a server for the outside world,
this might do the trick:

#--------somewhere in the squid.conf

acl private_paths pattern ^/private_subtree ^/another_private_path
acl public_and_private_server dst 1.2.3.4/255.255.255.255
# the acl dst tag eliminates the need to list all the aliases

acl locals src 1.2.3.0/255.255.255.0

http_access deny !locals public_and_private_server private_paths

#------------------------end of another hypothetical example

But...

all of this can be incorporated in a url rewriting process as
in the 1.1xxxx releases

Paul Borgermans

----------
From: Bruce R. Lewis[SMTP:brlewis@MIT.EDU]
Sent: maandag 19 augustus 1996 15:28
To: Duane Wessels
Cc: squid-users@nlanr.net
Subject: Re: proposed change to 'pattern' ACL

   Date: Thu, 15 Aug 96 11:07:07 -0700

   So how about if we changed 'pattern' to be a regexp search on
   the whole URL instead of just the URL-path? Anyone have a problem
   with that?

That will break regexps like ^/cgi-bin. What about a new type of ACL
for the whole URL?
Received on Mon Aug 19 1996 - 09:53:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:49 MST