Re: [squid-users] Domain & URL blacklists

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 03 Nov 2007 01:07:33 +1300

Thomas Raef wrote:
>> Squid can handle these by itself. With a regular "squid -k
> reconfigure"
>> after updating the files.
>>
>> For the list of pure hostnames a "dstdomain" acl is the best.
>> For the list of URI snippets a "urlpath_regex" acl probably with "-i"
> is
>> needed.
>>
>> If the domain/ip file is an pruned version of the domains with URI
>> entries, then the URI may not be useful as its all caught by the
> domain.
>> If they are different then yes both have a use.
>>
>> Amos
>>
>>
> [Tom replied with:]
>
> Amos, would you then recommend that the domain acl be listed before the
> url acl?

Yes, its a small performance boost, but large lists sometimes need it.

>
> That would block by domain if a url included an entry in the domain list
> - if that's the desired result, thus avoiding the expensive (resource
> wise) urlpath_regex lookup.

Thats the idea.

The catch-22 here is that sequencing acl only boost the matching
requests. For denies, non-matching requests usually form the majority of
web usage.
Then both lists will be fully checked (returning false) and pruning the
regex down as far as possible would still be a great idea.

There is a trick I sometimes use; mixing acl type within a single name.
Since each object in a name matches on OR, it should stop at first
absolute match in there. But I have not done any rigorous testing of
that. Nor am I certain of the order squid does the type tests so it
could be making things worse if regex is mixed.

>
> I guess it would all depend on the desired results but something that
> should be considered when implementing acls.

Aha.

Amos
Received on Fri Nov 02 2007 - 06:07:34 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST