Re: [SQU] acl allow and deny, is it order dependent?

Hi,

>> acl deniedsites url_regex "/usr/local/etc/squid/squid-deny.txt"
>> acl allowedsites url_regex "/usr/local/etc/squid/squid-allow.txt"
>> acl porn url_regex "/usr/local/etc/squid/porn.block.txt"
>> acl noporn url_regex "/usr/local/etc/squid/porn.unblock.txt"
>> acl okTime time MTWHF 09:00-18:30
>> acl weTime time AS 00:00-23:59
>> acl amTime time MTWHF 00:00-08:59
>> acl pmTime time MTWHF 18:30-23:59
>> acl password proxy_auth 300
>> http_access deny deniedsites
>> http_access allow allowedsites
>> http_access allow noporn all
>> http_access deny porn
>> http_access deny amTime
>> http_access deny pmTime
>> http_access deny weTime
>> http_access allow okTime
>> http_access allow password
>> http_access allow all
>
>You try to implement AND inclusions with OR rules. Remember: rules in
>squid.conf are AND composited if they are in different lines. They are OR
>composited if they are in one line.
>
>Also remember the fact, that you can use !A OR B for the boolean implication
>A -> B.
>I try to translate your conditions:
># what I wanted was to get authentication if trying to access the internet
># within the correct time.
># So (rules changed today by my boss), allow internet access between 9am
># and 6.30pm weekdays, if they have authenticated them selves correctly.
># this means:
># okTime AND password AND all -> ALLOW
># translated : okTime OR password OR allow OR all
>http_access allow okTime password all
>
># Do not allow access if they fail to enter a valid password
># this means:
># all AND !password -> DENY
>http_access deny !password all
>
># Do not allow access if outside the above time
># this means:
># all AND !okTime -> DENY
>http_access deny all !oktime
>
>I would suggest a shorter version:
>http_access allow all okTime password
>http_access deny all
>
>
>I hope that I did not confuse you too much :)
>
I am in pain, but still here:-) the last bit raised the stakes.

The following then would do the job:-

http_access deny deniedsites
http_access allow allowedsites
http_access allow noporn all
http_access deny porn
http_access allow all okTime password
http_access deny all

Meaning there is no need for:-

acl weTime time AS 00:00-23:59
acl amTime time MTWHF 00:00-08:59
acl pmTime time MTWHF 18:30-23:59

Boy if only there was a script to translate the acl and http_access
parts of squid.conf into newbie language.

M.

-- 
He came from Econet - Oh no, I've run out of underpants :(
Home:- jaydee@wizdom.org.uk       http://www.wizdom.org.uk
Shadow:- webmaster@shadow.org.uk  http://www.shadow.org.uk
Work:- netman@hinwick.demon.co.uk http://www.hinwick.demon.co.uk
Web site Monitoring:-             http://www.shadow.org.uk/SiteSight/
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html