Re: Need to know more about ACLs

From: Henrik Nordstrom <>
Date: Sun, 24 Oct 1999 00:50:47 +0200

Ken Wolff wrote:

> If I had 2 IPs that could get anywhere, then would I have 2 "Power" lines
> as in...
> acl Power src
> acl Power src

Not quite.

The syntax is

so both of the above matches any source address (zero netmask).

Single IP addresses can be expressed without the netmask part, as in
acl Power src

The whole network can be expressed as
acl SomeNetwork src

> If I had 3 IPs that get to some places...
> acl People src
> acl People src

Again no.

src* type ACLs matches the client IP address.

dst* type ACLs matches the destination. Most time when matching
desinations you use the dstdomain ACL for matching the host name part of
the URL.

The logic of http_access is like


A little bit bigger example with explanations:

# "all" matches everything/everyone
acl all src

# PowerUsers matches IP addresses of power users
acl PowerUsers src

# RestritedUsers matches IP addresses of users with
# limited access
acl RestrictedUsers src

# RestrictedSites matches IP addresses to sites where
# RestrictedUsers shuld have access.
acl RestrictedSites dst

# Allow PowerUsers full access
http_access allow PowerUsers

# Allow RestrictedUsers access to only RestrictedSites
http_access allow RestrictedUsers RestrictedSites

# Deny access to everything not allowed above.
http_access deny all

Henrik Nordstrom
Squid hacker
Received on Sat Oct 23 1999 - 17:07:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:49:02 MST