Re: [squid-users] ACLs: simple question about http_access and AND operator

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 19 Feb 2013 13:19:16 +1300

On 19/02/2013 8:19 a.m., David Touzeau wrote:
>
> Dear i need some clarifications about the "AND" operator in
> http_access (or any other tokens using ACLs)
>
> I cannot found where i'm missed...
>
> I need to bann some websites except for some specified users.
>
> i create 2 acls:
>
> acl MyAllowedU proxy_auth david jhon mirna
> acl bannedw dstdomain .msn.com .yahoo.com
>
> basically i can do that:
>
> http_access deny !MyAllowedU bannedw

Basically yes, they are AND together. However...

>
> Is there any change behavior if i do
> http_access deny bannedw !MyAllowedU

They are tested in order and each of those types has different
side-effects from testing.

bannedw has no side-effects beyond DNS lookup on raw-IP requests.

MyAllowedU has the side effect of triggering authentication re-challenge
if it is last on the line and fails to match a user (missing, wrong
password, other user).
In your initial setup it only triggers authentication challenge if
credentials are *missing*.

Other than the auth behaviour the second setup is a faster ACL testing
sequence on all traffic which fails to match bannedw.

If you need to change the order for performance place the " all" at the
right-hand end of the line to prevent the change of auth behaviour.

Amos
Received on Tue Feb 19 2013 - 00:19:22 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 19 2013 - 12:00:04 MST