> > This should be a function of the browser and not the proxy.
>
> Maybe ideally, but the only place you are sure to be able to do
> access control is a choke-point such as a router or firewall-type
> proxy.
Agreed. for efficiency's sake, it's very desirable to have this and good
URL-based filtering in the proxy. Also, if you put a separate filter
on the back end (as I am doing), you lose the Ip address sensitivity of
the filter rules; if you put it oon the front end, all requests to your
cache appear to be coming from the same host and bypass any security
mechanisms you may have.
Putting any extra filtering *in* the cache where all the acl stuff is being
done anyway is the obvious solution. I've done this with the CERN cache
with a few dozen rewrite rules. I don't know how efficient it would
be with tens of thosuands, and I don't know if squids rewriting code can
stand up to that volume of use either. (I mean, I haven't tried it, not
that I already doubt it)
I tried out that junkbuster thing that someone mentioned here earlier today
as a possible URL filter on top of squid. It is not *nearly* as robust as
squid and won't work for our purposes. Ideally what I need is for
squid to filter URLs on the basis of the IP address of the client, with
several sets of clients all having large sets of filter rules, preferably
compiled in some way for speed
but still allowing the strength of regexps or at least wildcards.
I've been pretty busy working on other projects so haven't studied the
squid docs closely enough yet with this feature in mind; if it already does this
I won't be at all surprised!
G
Received on Tue Apr 15 1997 - 14:29:44 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:59 MST