Re: [squid-users] ACL defaults

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 5 Feb 2005 12:01:06 +0100 (CET)

On Sat, 5 Feb 2005 johnsuth@acenet.com.au wrote:

> For the tag http_access, my .conf says:-
>
> "NOTE on default values:
> If there are no 'access' lines present, the default is to deny the request."

> This implies DENY BY DEFAULT which is a common convention in this context.

No it does not. Read the first part of that sentence again.

> However all following text contradicts that. e.g.:-
>
> "If none of the access lines causes a 'match', the default is the opposite of the last line
> in the list. If the last line was deny, then the default is allow. Conversly, if the last line
> is allow, the default will be deny. For these reasons, it is a good idea to have an 'deny
> all' or 'allow all' entry at the end of your access lists to avoid POTENTIAL CONFUSION."

I see no contradiction here.

If you have no http_access rules AT ALL all requests will be denied as you
have not configured the access controls.

If you have http_access lines but none matches the request the action the
opposite of your last http_access rule.

Regards
Henrik
Received on Sat Feb 05 2005 - 04:01:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST