Re: http_access with two components

From: Jonathan Larmour <JLarmour@dont-contact.us>
Date: Fri, 10 Jan 1997 17:05:31 +0000

At 11:45 10/01/97 GMT, Tim Steele wrote:
>How come I have to do this...
>
> http_access allow ttp
> http_access allow localhost
>
>...whereas this doesn't work...
>
> http_access allow ttp localhost
>
>(It parses OK, but doesn't do what you'd expect)

Because when you specify an ACL itself, with more than one component, it
works with OR logic.

When you specify a rule, such as http_access, and give it more than one
component, then it uses AND logic.

So what you were saying was allow http access if the acl ttp is fulfilled
AND the acl localhost is fulfilled. If ttp and localhost define 2 different
computers then the rule can never be true! When can it have 2 source IP
addresses?!

What you maybe mean is:
http_access deny all !ttp !localhost
http_access allow all

or as you said:
http_access allow ttp
http_access allow localhost

Its worth checking that you have made sure every possibility is catered for
e.g. in the second one above, what if the host is not ttp, nor localhost.
Its worth ending up with your "default" policy, e.g. http_access deny all,
and list that last in the ACLs.

I think that's thorough enough!

Jonathan L.
Origin UK,323 Cambridge Science Park,Cambridge,England. Tel: +44(1223)423355
------[ Do not think that every sad-eyed woman has loved and lost... ]------
April 12th! Ra!Ra!----[ she may have got him. -Anon ]-----April 12th! Ra!Ra!
Help fight spam! http://www.vix.com/spam These opinions are all my own fault
Received on Fri Jan 10 1997 - 09:20:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:03 MST