On Sat, 15 Mar 2003 09:30:51 +0100
Henrik Nordstrom <hno@squid-cache.org> wrote:
> "Jacob S." wrote:
>
> > Hello,
> >
> > Just a simple "acl unblockedsites url_regex -i
> > "/etc/squid/unblock.txt""
> >
> > There are other acls that could interfere but I've already checked
> > and joker.com's not listed in any except for the "unblock.txt" file.
> > Configuration's working great for all the other sites so far.
>
> See the Squid FAQ on how to debug access controls.
>
> Regards
> Henrik
Very helpful information from both the FAQ and the output of
"debug_options ALL,1 33,2" in cache.log. I'm afraid I still can't crack
the case though.
Probably not the most efficient, but here's the full acls and how I'm
applying them to only allow the desired sites along with my reasoning
for how they're implemented:
acl unblockedsites url_regex -i "/etc/squid/unblock.txt"
acl blockedsites url_regex -i "/etc/squid/block.txt"
acl semiblock url_regex -i "/etc/squid/semiblock.txt"
http_access deny semiblock
http_access deny blockedsites !unblockedsites
# I want access to "unblockedsites", but not "blockedsites".
# If I put ".something.tld" in unblockedsites, I can't block
# "c.something.tld" in blockedsites, so I use semiblock instead.
http_access deny all !unblockedsites
# If it can't be accessed through the first two, then it should be
# blocked.
I guess I could probably just use
http_access deny semiblock
http_access deny all !unblockedsites
but I have thoughts of custom error messages in the future, so I think
it could be helpful to know the difference between explicit blocks and
blocks that are simply because they're not on the unblock list.
With the current acl setup, and debug_options set to "ALL,1 33,2",
trying to go to www.joker.com from my browser yields the following
result in cache.log:
2003/03/16 00:02:02| The request CONNECT joker.com:443 is DENIED,
because it matched 'unblockedsites'
If I add the line "joker.com" in unblock.txt, I see nothing in the log
and am able to access it. Yet I already have ".joker.com" in unblock.txt
so it seems it should still be allowed, according to the FAQ.
Any more suggestions?
Thanks,
Jacob
-----
GnuPG Key: 1024D/16377135
In a world without fences, who needs Gates?
http://www.linux.org/
Received on Sat Mar 15 2003 - 23:37:37 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:04 MST