Re: [squid-users] acl order

From: Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>
Date: Fri, 14 Aug 2009 08:11:35 +0200

Hi

Riccardo Castellani a écrit :
> If create these entries in squid.conf:
>
> acl wwwebay dstdomain www.ebay.com
> acl wwwcons dstdomain demo.consortium.com
> acl emmepitre url_regex ^http://.*\.mp3
> acl msnmessq req_mime_type -i ^application/x-msn-messenger$
> acl msnmessp rep_mime_type -i ^application/x-msn-messenger$
> acl audiosp rep_mime_type -i ^audio/wav$
> acl videosp req_mime_type -i ^application/x-shockwave-flash$
> acl streaming_mediap rep_mime_type ^video/x-ms-asf
> acl streaming_mediap rep_mime_type ^audio/mpeg
> acl streaming_mediap rep_mime_type ^audio/x-scpls
> acl streaming_mediap rep_mime_type ^video/x-flv
>
> http_access allow user2
> http_access allow user3

> http_access deny msnmessp
> http_access deny audiosp
> http_access deny videosp
> http_access deny streaming_mediap
>
those won't do anything, use http_reply_access instead of http_access,
to deal with mime-types

http_access allow user1 wwwebay
> http_access allow user1 wwwcons
> http_access deny wwwebay
> http_access allow user4
> ...
> ...
> ...
> http_access allow user100
> http_access deny all
> #
> http_reply_access allow user2
> http_reply_access allow user3
> http_reply_access deny msnmessp
> http_reply_access deny audiosp
> http_reply_access deny videosp
> http_reply_access deny streaming_mediap
> http_reply_access allow all
>
>
> In this case, I'd like:
>
> user2+3 can access to everything.
> User1 can access only to www.ebay.com
> User4 to user 100 can access everything except msnmessp, audiosp, videosp,
> streaming_mediap, wwwebay, wwwcons.
>
>
> What's order on which rules are scanned from squid ?
from top to bottom
> What do you think about my schema criteria ?
- your audio and video filtering are not exaustive, I prefer using :

acl nosoundnovid rep_mime_type audio video

- are you sure that you need to filter requests instead of reply here ?

acl msnmessq req_mime_type -i ^application/x-msn-messenger$
acl videosp req_mime_type -i ^application/x-shockwave-flash$

>
> --
> Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour.
> Contactez votre administrateur pour plus de renseignement.
> postmaster_at_ch-chaumont.fr

-- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmaster_at_ch-chaumont.fr

Received on Fri Aug 14 2009 - 06:11:45 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 14 2009 - 12:00:02 MDT