> -----Original Message-----
> From: johnsuth@acenet.com.au [mailto:johnsuth@acenet.com.au]
> Sent: Friday, February 11, 2005 5:26 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Banning all other destinations
SNIP
>
> The dstdomain .gov denied .gov.au so I reverted to dstdom_regex although,
like the
> California Democrats, I don't want the govenator.
>
This is possible:
\.gov(\..*)?$
Will only match "*.gov" or "*.gov.*" but will not match "thegovenator.com".
On the other hand, it's a complex rule that will cause a hit on performance.
Perhaps using "dst_domain .gov .gov.au" would be a more exact solution.
I've made a couple of sugesstions below. Then again, if it ain't broke...
> Interleaving works, and ANDing the ACLs in the rules makes the intent even
clearer.
Excellent. Clarity leads to functionality.
>
> ACL is checked before getting from cache.
Good to know. I was not aware of that previously.
>
> Squid goes out to the internet before getting cached pages, after a period
of idleness. I
> don't have a good handle on this.
Usually to check whether the page has been modified (look for an IMS_HIT).
>
> The last rule does what it says, not the inverse.
The last rule does what it says. If it is not an absolute, then the NEXT
(non-existent rule) is an absolute in the inverse. So if your last
http_access rule is "http_access allow mylan" then the implied next rule is
"http_access deny all". In the same vein, if the last rule is "http_access
deny badsites" then the next implied rule is "http_access allow all", hence
the suggestion to make the last rule explicit.
>
> Changing the rules had some side effects.
> 1) the 30 sec delay on shutdown started working and, after some more rule
changes,
> stopped working. It does not matter.
Look for a "shutdown_lifetime" rule in your conf file. If absent, Squid
should default to 30 seconds.
> 2) I now have access denied error messages, in Hebrew. Perhaps it is
better that users
> who try naughty things are baffled, rather than taunted by a
comprehensible message.
Look for an "error_directory" rule. This will point Squid to the directory
containing error messages. The default is set at compile time.
>
> Here are my rules:-
>
> # TAG: acl
>
> # TAG: http_access
> acl all src 0.0.0.0/0.0.0.0
> acl localnet src 192.168.100.0/24
> acl OKdomains dstdom_regex -i .gov. .edu. .google.com.au
acl OKdomains dstdom_regex -i \.gov\.? \.edu\.? \.google\.com\.au$
or
acl OKdomains dstdomain .gov .gov.au .edu .edu.au .google.com.au
> http_access allow localnet OKdomains
> acl every dst 0.0.0.0/0.0.0.0
> http_access deny every
>
> # TAG: http_reply_access
> http_reply_access allow localnet
> http_access deny all
>
> I am inestimably grateful for your patience which has saved my life, well,
at least my
> sanity.
Glad to be of what help I can.
Chris
Received on Fri Feb 11 2005 - 11:25:33 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST