http_access, icp_access, and miss_access in v1.1.10

From: Ryan Smith-Roberts <>
Date: Mon, 2 Jun 1997 20:37:51 -0701 (PDT)


Okay, I'm awfully confused now.

I have a main server,, which handles the domains and for the NLANR hierarchy since they're ixa's
customers. I would like to restrict access to the HTTP proxy port to just
those browsers coming from ixa's downstream, ICP access to all of our
cache, and ICP MISS access to anyone who's a customer be they source or

So, we have three ACLs:

customers ('src' acl)
downstream ('dst' acl)
downstream-dom ('dstdomain' acl, a fastpath for and

and the configurations:

http_access [standard stuff from the example]
http_access allow customers
http_access deny any

icp_access allow any

miss_access allow downstream-dom
miss_access allow customers
miss_access allow downstream
miss_access deny all

However, this doesn't seem to work properly for people whose Squid caches
fail the 'customers' acl. For instance, I have a squid cache at home,, who considers to be its parent. If I
remove myself from the 'customers' acl and attempt to access for instance, I get an access denied from
when attempts to resolve an ICP query through it.

However, when I change http_access to resemble miss_access, things work
just fine (even though is actually making an ICP query).

It would appear that http_access is being applied to ICP queries in
addition to standard HTTP proxy queries.

Is this how things are supposed to work?

- --
\/\ Lab.NET| Ryan Smith-Roberts <> | finger/www for
/\/ we do | "Consistency requires you to be as | PGP key
\/\ stuff | ignorant today as you were a year ago" - Bernard Berenson
         89 FC 59 49 D3 DD 20 20 54 0D B0 C5 81 32 01 CC

Version: 2.6.3i
Charset: noconv

Received on Mon Jun 02 1997 - 20:41:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:21 MST