Ken Wolff wrote:
> If I had 2 IPs that could get anywhere, then would I have 2 "Power" lines
> as in...
> acl Power src 172.20.1.1/0.0.0.0
> acl Power src 172.20.1.2/0.0.0.0
Not quite.
The syntax is
ip/netmask
so both of the above matches any source address (zero netmask).
Single IP addresses can be expressed without the netmask part, as in
acl Power src 172.20.1.1 172.20.1.2
The whole network can be expressed as
acl SomeNetwork src 172.20.1.0/255.255.255.0
> If I had 3 IPs that get to some places...
> acl People src 172.20.1.3/56.0.78.11
> acl People src 172.20.1.3/206.132.41.203
Again no.
src* type ACLs matches the client IP address.
dst* type ACLs matches the destination. Most time when matching
desinations you use the dstdomain ACL for matching the host name part of
the URL.
The logic of http_access is like
AND AND AND
or
AND AND AND
A little bit bigger example with explanations:
# "all" matches everything/everyone
acl all src 0.0.0.0/0
# PowerUsers matches IP addresses of power users
acl PowerUsers src 172.20.1.1 172.20.1.2
# RestritedUsers matches IP addresses of users with
# limited access
acl RestrictedUsers src 172.20.1.3-172.20.1.5
# RestrictedSites matches IP addresses to sites where
# RestrictedUsers shuld have access.
acl RestrictedSites dst 56.0.78.11 206.132.41.203
# Allow PowerUsers full access
http_access allow PowerUsers
# Allow RestrictedUsers access to only RestrictedSites
http_access allow RestrictedUsers RestrictedSites
# Deny access to everything not allowed above.
http_access deny all
-- Henrik Nordstrom Squid hackerReceived on Sat Oct 23 1999 - 17:07:14 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:49:02 MST