Controlling neighbour access

From: Mark Eldridge <Mark.Eldridge@dont-contact.us>
Date: Tue, 18 Feb 1997 10:08:28 +0800 (WST)

I'd like to be able to control which objects on our cache our neighbours
have access to. If our organisation's internal documents are cached then
it is possible that our neighbours could access these documents, bypassing
any security that may be in place on the end web server.

The trusting method (for the perfect world) is to ask the neighbours to
put a 'cache_host_domain proxy.csiro.au !.csiro.au' statement in their
configs. This is also more efficient.

To control it from our end I have tried the following:

acl csiro src 1.2.0.0/255.255.0.0
acl non_csiro_neighbour src 3.4.0.0/255.255.0.0
acl csiro_url url_regex \.csiro\.au
icp_access allow csiro
icp_access deny csiro_url
icp_access deny all !non_csiro_neighbour

I've also tried

cache_host_acl neighbour.au !csiro_url

Neither of these methods work. What am I doing wrong?

Also, how much is negotiated between neighbours? Can neighbours swap the
access lists that relate to each other and vary their requests
accordingly? ie. If neighbour1 won't feed certain objects to neighbour2,
there's not much point in neighbour2 requesting them.

Thanks for any help.

(I'm using squid 1.1.5 with patches on Solaris 2.5.1)

Mark

-----
Mark Eldridge phone: +61 9 387 0301
CSIRO Floreat Park Laboratories fax: +61 9 387 6046
Private Bag PO mobile: 018 916 724
Wembley, Western Australia, 6014 email: mark@per.its.csiro.au
Received on Mon Feb 17 1997 - 18:30:59 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:29 MST