Re: [squid-users] ACL defaults

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 5 Feb 2005 23:26:41 +0100 (CET)

On Sat, 5 Feb 2005, Martin Joseph wrote:

>> If you have http_access lines but none matches the request the action the
>> opposite of your last http_access rule.
>
> Wouldn't it make more sense for squid to DENY any requests after finishing
> with the ACL list, thus forcing people to explicitly enable the access they
> want to allow?

Yes and no. There is many ways of doing access lists.

With the current design you can easily do either

deny everything which is not allowed

or

allow only what is allowed

and the result will be what you intended.

Most people find it easier with explicit rules and is why the
suggested standard configuration shipped with Squid looks like (in order)

1. limit cachemgr access

2. deny abuse

3. allow your clients to use the proxy

4. deny everything else

(see squid.conf.default for the actual rules with comments)

Regards
Henrik
Received on Sat Feb 05 2005 - 15:26:44 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST