RE: [squid-users] how 2 setup multiple 'routes' thru squid-cache based on listener port?

From: Chris Robertson <crobertson@dont-contact.us>
Date: Mon, 29 Aug 2005 16:56:46 -0800

> -----Original Message-----
> From: OpenMacNews [mailto:OpenMacNews@speakeasy.net]
> Sent: Monday, August 29, 2005 4:48 PM
> To: Chris Robertson
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] how 2 setup multiple 'routes' thru
> squid-cache based on listener port?
>
>
> Hi Chris,
>
> thx for the reply! =)
>
> > Adding something like...
> >
> > acl second_inport myport 7777
> > always_direct allow second_inport
> >
> > ... above ...
> >
> > never_direct allow all
> >
> > ... should allow clients accessing your proxy through port
> 7777 to not use
> > the privoxy (and therefore the TOR network), while pushing
> all other traffic
> > through the anonymizing network.
>
> aha. the 'myport' condition ... grt!
>
> ok. if, per your suggestion, i do:
>
> acl second_inport myport 7777
>
> always_direct allow second_inport
> never_direct allow all
>
> ...
>
> how would then subsequent conditions, e.g.:
>
> http_access allow localhost
> http_access allow INTERNAL_LAN
>
> no_cache deny QUERY SSL_ports
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow PURGE localhost
> http_access deny PURGE
> http_access allow manager localhost
> http_access deny manager
>
>
> header_access Allow allow INTERNAL_LAN
> header_access Authorization allow INTERNAL_LAN
> header_access WWW-Authenticate allow INTERNAL_LAN
> header_access Cache-Control allow INTERNAL_LAN
> header_access Content-Encoding allow INTERNAL_LAN
> ...
>
> , associated with the port 8888 anonymization route be
> applied ONLY for that
> route, and NOT the port 7777 'pass-thru'?
>
> i'm guessing this will require creating ACLs of the correct
> type(s), and
> logically JOINing them ...
>
> i.e., effectively:
>
> header_access Allow allow (INTERNAL_LAN AND
> !second_inport)
>
> but, so far, I haven't figured out how to do the boolean
> logic (still digging
> tho ...)
>
> thx! & cheers,
>
> richard
>
>

http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

To summarise (sic) the acl logics can be described as:

        http_access allow|deny acl AND acl AND ...
            OR
        http_access allow|deny acl AND acl AND ...
            OR
        ...

So "header_access Allow allow INTERNAL_LAN !second_inport" should not strip the Allow header for those people connecting to port 7777, but should strip it for anyone else. I would suggest, however, testing this.

Chris
Received on Mon Aug 29 2005 - 18:56:49 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:03 MDT