Sorry, but no it does not work that way. Only the other way around.
http_access lines are only matched if ALL acl's on that line evaluates
to true. If a single ACL on the line is false, then the http_access line
as a whole is not matched.
To be able to evaluate some ACL types Squid has to ask for more
information. I.e. the proxy_auth ACL type requires that the user has
entered a valid username+password for it to be able to evaluate the
answer of the ACL, the ident ACL requires a ident lookup, dstdomain/dst
may require a DNS lookup and so on..
As soon as Squid finds a acl that is false, then it skips to the next
http_access line.
A simple rule to remember is
http_access allow|deny a AND b AND c ...
OR
http_access allow|deny e AND f AND g ...
OR
....
Because of this it is generally best to have proxy_auth ACL's last on
the line if you need to combine multiple ACLs.
and chaining several ACLs can be often done much more efficiently than a
single large regex based ACL. If you first start with an ACL that
narrows down the search to mostly only the URLs you are interested in,
and then one or more ACLs that make the fine grained check. This way the
URLs that you are not interested in will skip to the next http_access
line much faster, and only the URLs you are interested in will take the
penalty of detailed regex matching.
/Henrik
Robert Collins wrote:
>
> authentication and deny questionYou could try changing
> http_access deny badDomain password
> to
> http_access deny password badDomain
>
> Squid denies the request as soon as it knows there is a problem. This is a
> speed optimisation. (If you had
> http_access deny acl1 acl2 acl3 acl4 acl5
> and they were all regex acl's it would chew up CPU so perform all the regex
> matchs when squid knows that access will be denied after one of them
> matches.
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Nov 10 2000 - 18:39:34 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:19 MST