Re: [squid-users] unsure of one acl in squid.conf

From: Robert Collins <robert.collins@dont-contact.us>
Date: 28 Aug 2001 23:57:58 +1000

On 27 Aug 2001 17:29:18 -0400, pat lendon wrote:
> Hi all,
>
> I'm unsure of an acl.
>
> We have 18 remote squid servers that use one server as a parent.
> cache_peer xx.xx.x.xxx parent 3128 3130 no-query default
> login=hostname:xxxxxx
>
> All is working fine, but I'm not clear on why I previously listed the
> one acl. I've listed the acl's and my understanding of what is
> happening.
>
> I would like to ensure that all requests from remote proxies first check
> their own cache and if not cached, then forward to the parent squid,
> then off to Internet.
>
> acl parent_proxy url_regex ~http://xx.xx.x.xxx (IP of system with parent
> proxy)
> acl local_proxy src xx.xx.x.xxx (IP of system with local proxy)
> acl FTP proto FTP
> acl passwd proxy_auth REQUIRED
>
> never_direct allow all (means all requests must go thru parent, not
> direct to Internet)
> http_access allow local_proxy (unsure what this acl does, does it mean
> that Squid will first check the local squid server's cache and if not
> found, always go to parent proxy?)

No, it means that requests from this local ip address are allowed. the
path the request follows is not affected by http_access statements.

> always_direct allow parent_proxy (always go to parent proxy)

no->it means that requests for the parent proxy (ie if the parent does
ftp directory listings) are made direct to the parent. The never_direct
all is what forces requests to a cache_peer - the parent proxy.

> http_access allow passwd (require password)
This line should be guarded in some fashion - by an earlier src
http_access deny statement perhaps - to prevent brute force passwd
attacks on your server. (Ie only let users try to log in when they are
in your subnet(s).)
> http_access allow FTP (allow ftp requests)
> http_access deny all (deny anyone that doesn't have a password).
>
> Am I off on my understanding of above acl's?
>
> Also, the config is set to require passwords. Is it also possible to
> block requests from any other server except local server - and then the
> requests for the local server must require password? I'm not sure what
> acl is needed for this.

Sure, something like
acl fromlocalserver src <ip> (identify requests from the local server)
http_access deny !fromlocalserver (allow them)
acl tolocalserver dst <ip> (identify requests to the local server)
acl passwd proxy_auth REQUIRED (require a valid username + passwd)
http_access allow tolocalserver passwd

Rob
Received on Tue Aug 28 2001 - 07:58:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:56 MST