[squid-users] R: [squid-users] acl order

From: Riccardo Castellani <r.castellani_at_usl6.toscana.it>
Date: Fri, 14 Aug 2009 10:21:23 +0200

>those won't do anything, use http_reply_access instead of http_access,
>to deal with mime-types

I attached "partial acl" to this email only for example, infact in real
squid.conf there is also http_reply_access to deal with deal mime-types.
But do you suggest to use both https_access and http_reply_access, or only
http_access directive ?

> acl nosoundnovid rep_mime_type audio video

This acl 'rep_mime_type audio video' contains all mime type of video audio
streams ?! I have to add ' req_mime_type audio video' too ?

>are you sure that you need to filter requests instead of reply here ?

I answered you in first point.

-----Messaggio originale-----
Da: Erwann PENCREACH [mailto:erwann.pencreach_at_ch-chaumont.fr]
Inviato: Friday, August 14, 2009 8:12 AM
A: squid-users_at_squid-cache.org
Oggetto: Re: [squid-users] acl order

Hi

Riccardo Castellani a écrit :
> If create these entries in squid.conf:
>
> acl wwwebay dstdomain www.ebay.com
> acl wwwcons dstdomain demo.consortium.com
> acl emmepitre url_regex ^http://.*\.mp3
> acl msnmessq req_mime_type -i ^application/x-msn-messenger$
> acl msnmessp rep_mime_type -i ^application/x-msn-messenger$
> acl audiosp rep_mime_type -i ^audio/wav$
> acl videosp req_mime_type -i ^application/x-shockwave-flash$
> acl streaming_mediap rep_mime_type ^video/x-ms-asf
> acl streaming_mediap rep_mime_type ^audio/mpeg
> acl streaming_mediap rep_mime_type ^audio/x-scpls
> acl streaming_mediap rep_mime_type ^video/x-flv
>
> http_access allow user2
> http_access allow user3

> http_access deny msnmessp
> http_access deny audiosp
> http_access deny videosp
> http_access deny streaming_mediap
>
those won't do anything, use http_reply_access instead of http_access,
to deal with mime-types

http_access allow user1 wwwebay
> http_access allow user1 wwwcons
> http_access deny wwwebay
> http_access allow user4
> ...
> ...
> ...
> http_access allow user100
> http_access deny all
> #
> http_reply_access allow user2
> http_reply_access allow user3
> http_reply_access deny msnmessp
> http_reply_access deny audiosp
> http_reply_access deny videosp
> http_reply_access deny streaming_mediap
> http_reply_access allow all
>
>
> In this case, I'd like:
>
> user2+3 can access to everything.
> User1 can access only to www.ebay.com
> User4 to user 100 can access everything except msnmessp, audiosp, videosp,
> streaming_mediap, wwwebay, wwwcons.
>
>
> What's order on which rules are scanned from squid ?
from top to bottom
> What do you think about my schema criteria ?
- your audio and video filtering are not exaustive, I prefer using :

acl nosoundnovid rep_mime_type audio video

- are you sure that you need to filter requests instead of reply here ?

acl msnmessq req_mime_type -i ^application/x-msn-messenger$
acl videosp req_mime_type -i ^application/x-shockwave-flash$

>
> --
> Ce courrier électronique a été vérifié et est exempt de virus connus à ce
jour.
> Contactez votre administrateur pour plus de renseignement.
> postmaster_at_ch-chaumont.fr

--
Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce
jour.
Contactez votre administrateur pour plus de renseignement.
postmaster_at_ch-chaumont.fr
Received on Fri Aug 14 2009 - 08:22:14 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 15 2009 - 12:00:02 MDT