RE: [squid-users] Working ACLs for SSL Accel in 2.5pre10?

From: <sean.upton@dont-contact.us>
Date: Wed, 21 Aug 2002 08:01:39 -0700

I do use a redirector for all requests, but my main concern is simply for
purposes of doing an ACL with regards to the incoming port and nothing more,
so I think I'm okay with current behavior without use of rproxy. I'll give
this a try. Thanks for the tip,
Sean

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Tuesday, August 20, 2002 5:37 PM
To: sean.upton@uniontrib.com
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Working ACLs for SSL Accel in 2.5pre10?

You are correct in that Squid-2.5 reconstructs both as http://... URLs
internally, but you should be able to use the my_port directive to
differente the requests from each other based on which port the request
was accepted on.

If you want to have https_port reconstruct the URLs into https:// URLs
then some changes will be needed to the code. See also the rproxy branch
at sourceforge. But keep in mind that you then MUST use a redirector to
rewrite the https:// URLs into http:// before being forwarded by Squid.

Regards
Henrik

sean.upton@uniontrib.com wrote:
>
> I have an HTTP accelerator I would like to do SSL with. I have been
playing
> around with SSL acell in 2.5pre10, and I seem to like it so far. I'm a
bit
> baffled about how one might go about setting up ACLs to prevent a
particular
> URL from being accessed through port 80, but ok via SSL...
>
> For example, given URLs like this:
> http://cmanager/foo
> https://cmanager/foo
>
> The redirector I'm running takes anything going to ^http://cmanager/ and
> sends it to a backend http server on port 80... the first in the above
list
> would ideally be rejected, and the second allowed, but I can't seem to set
> up an ACL that would do this.
>
> For example, the following does not work, because https access is blocked
as
> well as http:
> acl cmanager url_regex -i cmanager
> acl SSLUrls url_regex ^https
> http_access deny !SSLUrls cmanager
> I've also tried:
> http_access deny !SSL_ports cmanager
> That doesn't work either.
>
> I suspect that the SSL accel machinery makes squid's acl machinery handle
> the URL like a normal http URL, since my redirector rule (that works) is
> passed an HTTP URL by squid even on an HTTPS access.
>
> Any thoughts on how/if this can be done with the current state of SSL
accel
> support?
>
> Sean
>
> +-----------------------------------------------------------
> | Sean Upton
> | Site Technology Supervisor SignOnSanDiego.com
> | Development & Integration The San Diego Union-Tribune
> | 619.718.5241 sean.upton@uniontrib.com
> | PATH_TO_THE_DARK_SIDE = 'c:\winnt\system32'
> +-----------------------------------------------------------
Received on Wed Aug 21 2002 - 08:59:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:46 MST