Re: [squid-users] Access Lists

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 01 Nov 2001 20:25:30 +0100

Paul Harlow wrote:
>
> So now I'm lost then...
> Now it's sounding like the original input of:
> > acl jkanepc src 10.9.1.112/255.255.255.255
> > acl jkane dstdom_regex adams
> > http_access allow jkane jkanepc
>
> should work, right?

Right. And you asked why. We have tried to explain that.

> This is how it's set up now and how it appears to be
> working. The way I'm reading this is that the first line defines the source
> with and access list named "jkanepc", the second line defines allowed
> destinations with the word "adams" in the address, and the last line ties
> the two together.
> But from previous emails here you're saying that this is not true...
> I don't get it.

It is true. The http_access line says that the request is allowed if it
matches both jkane AND jkanepc.

What I am saying is that if you vere able to define an acl element
"jkane" that lists both source IP's and destination domains, then this
acl element is matched if any of the elements are, not if all of the
elements are. As you have discovered Squid does not allow such "messy"
acl definitions.

It gets more obvious if you consider a slightly larger example:

acl public_pc_machines src 10.1.1.54 10.1.1.55 10.1.1.56 10.1.1.57
acl public_sites dstdomain www.skld.com www.squid-cache.org
www.marasystems.com
http_access allow public_pc_machines public_sites
http_access deny public_pc_machines

Regards
Henrik Nordström
Squid Hacker
Received on Thu Nov 01 2001 - 12:32:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:49 MST