http_access, icp_access, and miss_access in v1.1.10

From: Ryan Smith-Roberts <rsr@dont-contact.us>
Date: Mon, 2 Jun 1997 20:37:51 -0701 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----

Okay, I'm awfully confused now.

I have a main server, squid.sea.ixa.net, which handles the domains
amazon.com and infospace.com for the NLANR hierarchy since they're ixa's
customers. I would like to restrict access to the HTTP proxy port to just
those browsers coming from ixa's downstream, ICP access to all of our
cache, and ICP MISS access to anyone who's a customer be they source or
destination.

So, we have three ACLs:

customers ('src' acl)
downstream ('dst' acl)
downstream-dom ('dstdomain' acl, a fastpath for amazon.com and
                infospace.com)

and the configurations:

http_access [standard stuff from the example]
...
http_access allow customers
http_access deny any

icp_access allow any

miss_access allow downstream-dom
miss_access allow customers
miss_access allow downstream
miss_access deny all

However, this doesn't seem to work properly for people whose Squid caches
fail the 'customers' acl. For instance, I have a squid cache at home,
squid.lab.net, who considers squid.sea.ixa.net to be its parent. If I
remove myself from the 'customers' acl and attempt to access for instance
http://www.infospace.com, I get an access denied from squid.sea.ixa.net
when squid.lab.net attempts to resolve an ICP query through it.

However, when I change http_access to resemble miss_access, things work
just fine (even though squid.lab.net is actually making an ICP query).

It would appear that http_access is being applied to ICP queries in
addition to standard HTTP proxy queries.

Is this how things are supposed to work?

- --
\/\ Lab.NET| Ryan Smith-Roberts <rsr@lab.net> | finger/www for
/\/ we do | "Consistency requires you to be as | PGP key
\/\ stuff | ignorant today as you were a year ago" - Bernard Berenson
         89 FC 59 49 D3 DD 20 20 54 0D B0 C5 81 32 01 CC

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBM5ORqN3Nb6QEQgMlAQGkcAf9HUHOFzwTUX3r3BvYOmRGHuzF9TfMbz45
oyCZAJKRabdW7ZDHXFcDmG2czCFTkPXKQGe2rx4mq0dJ1gToolzYhV1duNo8J0Uw
0vlaC4pQv9jny7Y8Qgg87Db51OEVtj0iyag4GBaR8c+IBcECLBw2nJY8sv+mMU9Z
DKSRqLJZBT62HQOOdLyTku+e9D34V379qw30JOLYS+HIC1idhznvKgRpPjnjTQyq
bNiN0ErOXAZ179hIAZed+uLo86BVOSk2wHmAj2OjVh6QhgQIoqMeoNHQoXRbA+kC
afIZjg0rVsdOb1LLNaPP+eLFfF9ifjugNU58IpLwBz2fiPkL7Ss0zA==
=V5o1
-----END PGP SIGNATURE-----
Received on Mon Jun 02 1997 - 20:41:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:21 MST