Re: [squid-users] Peer Review of my ACL's

From: Eric Kahklen <eric@dont-contact.us>
Date: Wed, 25 Feb 2004 07:55:40 -0800

Thanks Henrik!

I was wondering about the ICP, it was in the standard ACL's but the port
number was different in the conf file.

>
>
>>#Allow ICP queries from everyone
>>icp_access allow all
>>
>>
>
>You don't want ICP in a reverse proxy. In fact I would recommend you to
>distable icp entirely (see icp_port).
>
>
>
>
I'll give this one a shot.

>
>
>
>
>[or if you are using Squid-3 with cache_peer based forwarding]
>
>acl Exchangebox dstdomain the.official.fqdn.requested.by.clients
>http_access allos https port443 Exchangebox
>
># And finally deny all other access to this proxy
>http_access deny all
>
># Disable ICP
>icp_port 0
>
>
>
>
As I understand ACL's, squid uses OR logic when checking the ACL
values. Squid only searches until it finds a match in the ACL then
stops. The access rules are different, they use AND logic and combine
all the ACL's in the list. If none of the access rules are matched, the
default response is the exact opposite of the last rule.

So for example:

acl mynetwork src 192.168.1.0
http_access allow mynetwork

This would only allow the 192.168.1.0 subnet, and by default it would
DENY anything else since it wouldn't match the acl - mynetwork.

I got confused by one in Wessels book:

acl All src 0/0
acl Bob ident bob
http_access allow Bob
http_access deny All

First if the ident wasn't matched with bob, they would be denied. Then
if it wasn't ident traffic, they'd be denied for everything else? am I
correct? In this example, I am trying to see how a non match could occur
since the All acl is basically everything isn't it??

Thanks,

Eric

>Regards
>Henrik
>
>
>
>
>
>
Received on Wed Feb 25 2004 - 08:55:43 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST