Then see the Squid FAQ on debugging access controls.
Regards
Henrik
On Monday 10 March 2003 16.58, Hawk wrote:
> Henrik,
>
> it doesn't work :-(
>
> Anyway i forgot to paste this acl lines:
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny vdlsite vdlhttp http_port_80
> http_access allow all
>
> This because this squid should be my acceleration for my internet
> web sites.
>
> However changing conf as you told me doesn't work yet.
>
> In this way www.mysite.com/vdl is never blocked (http or https).
>
> Thanks
>
> Rick
>
> At 16.43 10/03/2003, Henrik Nordstrom wrote:
> >mån 2003-03-10 klockan 15.51 skrev Hawk:
> > > Sorry for boring you again...this my confs:
> > >
> > > acl vdlhttp url_regex -i www.mysite.com/vdl dst_port 80
> >
> >this matches case sensitive URL having any of the substrings
> > "www[any character]mysite[any character]com/vdl", "dst_port" or
> > "80" in them. Probably not what you want..
> >
> > > http_access deny vdlhttp
> > > http_access allow all
> > > httpd_accel_port 80
> > > httpd_accel_host virtual
> > > httpd_accel_single_host off
> > > httpd_accel_uses_host_header on
> > >
> > > with this configuration both https & http for that sites are
> > > denied
> >
> >what you want is
> >
> >acl vdl urlpath_regex ^/vdl
> >acl mysite dstdomain www.mysite.com
> >acl http_port_80 myport 80
> >http_access deny mysite vdl http_port_80
> >
> >
> >Another important note:
> >
> >You do not want to run a accelerator with "http_access allow
> > all".. You MUST set up access controls on which destinations may
> > be reached via the accelerator. If not your accelerator can
> > easily be abused as an open proxy, bouncing via the accelerator
> > to any server on on the Internet. It is only a matter of minutes
> > before such openly configured accelerator is found and abused by
> > hackers for purposes you absolutely have not intended when
> > setting up the accelerator..
> >
> >Instead of http_access allow all you want something like this in
> > an accelerator:
> >
> >acl my_sites dstdomain www.mysite.com www.myothersite.com ...
> >acl port80 port 80
> >acl http protocol http
> >http_access allow my_sites http port80
> >
> >
> >If the list of sites is long use an include file
> >
> >acl my_sites dstdomain "/path/to/accelerated_sites.txt"
> >
> >
> >--
> >Henrik Nordstrom <hno@squid-cache.org>
> >MARA Systems AB, Sweden
Received on Mon Mar 10 2003 - 12:34:13 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:59 MST