RE: [squid-users] Banning all other destinations

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 11 Feb 2005 09:25:30 -0900

> -----Original Message-----
> From: johnsuth@acenet.com.au [mailto:johnsuth@acenet.com.au]
> Sent: Friday, February 11, 2005 5:26 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Banning all other destinations

SNIP

>
> The dstdomain .gov denied .gov.au so I reverted to dstdom_regex although,
like the
> California Democrats, I don't want the govenator.
>

This is possible:

\.gov(\..*)?$

Will only match "*.gov" or "*.gov.*" but will not match "thegovenator.com".
On the other hand, it's a complex rule that will cause a hit on performance.
Perhaps using "dst_domain .gov .gov.au" would be a more exact solution.
I've made a couple of sugesstions below. Then again, if it ain't broke...

> Interleaving works, and ANDing the ACLs in the rules makes the intent even
clearer.

Excellent. Clarity leads to functionality.

>
> ACL is checked before getting from cache.

Good to know. I was not aware of that previously.
>
> Squid goes out to the internet before getting cached pages, after a period
of idleness. I
> don't have a good handle on this.

Usually to check whether the page has been modified (look for an IMS_HIT).

>
> The last rule does what it says, not the inverse.

The last rule does what it says. If it is not an absolute, then the NEXT
(non-existent rule) is an absolute in the inverse. So if your last
http_access rule is "http_access allow mylan" then the implied next rule is
"http_access deny all". In the same vein, if the last rule is "http_access
deny badsites" then the next implied rule is "http_access allow all", hence
the suggestion to make the last rule explicit.

>
> Changing the rules had some side effects.
> 1) the 30 sec delay on shutdown started working and, after some more rule
changes,
> stopped working. It does not matter.

Look for a "shutdown_lifetime" rule in your conf file. If absent, Squid
should default to 30 seconds.

> 2) I now have access denied error messages, in Hebrew. Perhaps it is
better that users
> who try naughty things are baffled, rather than taunted by a
comprehensible message.

Look for an "error_directory" rule. This will point Squid to the directory
containing error messages. The default is set at compile time.

>
> Here are my rules:-
>
> # TAG: acl
>
> # TAG: http_access
> acl all src 0.0.0.0/0.0.0.0
> acl localnet src 192.168.100.0/24
> acl OKdomains dstdom_regex -i .gov. .edu. .google.com.au

acl OKdomains dstdom_regex -i \.gov\.? \.edu\.? \.google\.com\.au$

or

acl OKdomains dstdomain .gov .gov.au .edu .edu.au .google.com.au

> http_access allow localnet OKdomains
> acl every dst 0.0.0.0/0.0.0.0
> http_access deny every
>
> # TAG: http_reply_access
> http_reply_access allow localnet
> http_access deny all
>
> I am inestimably grateful for your patience which has saved my life, well,
at least my
> sanity.

Glad to be of what help I can.

Chris
Received on Fri Feb 11 2005 - 11:25:33 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST