Re: [SQU] acl allow and deny, is it order dependent?

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Tue, 17 Oct 2000 10:58:38 +0200 (MESZ)

On Mon, 16 Oct 2000, Mark Worsdall wrote:

> Hi,
>
> Can anyone explain the order/precedence of allow and deny.
>
> i.e. if I have denied a time 1st but after that have an allow time,
> should not the allow overide the deny time?

I definitely won't call myself an experienced squid user.

But AFAIK I read in the manual that the 'rules' apply in the order of
occurence in the configuration file plus the rule that there is an
implicit allow/deny (exactly the opposite of the last command) all at the
end of the rules added by squid.

Even if it seems odd to you, this gives you the highest flexibility.
You decide about the order when writing the config file. Finally IMHO
it follows the rule of the least surprise too.

In your configuration I don't understand some things:
a) Is deniedsites exactly equal to !allowedsites? If so:

     http_access deny deniedsites
     http_access allow allowedsites

   is superfluous. Only the first line would suffice. Furthermore,
   allowedsites are completely allowed w/o time and password checking.
   This might be intentional.. but from your question I don't think so.

   Same for porn/noporn.

b) http_access allow password
   would allow all people with a password. It won't check any time limits
   or porn restrictions. Maybe you intended:
   http_access deny !password
   ?

c) If the time windows add together to 24h what I said in a) applies as
   well here. Also in the explicitly allowed time windows porn can be
   downloaded.

You should think of the rules as a little program. Squid runs through them
and every deny clause definitely rejects a request, every allow breaks out
of the program and allows it and some default applies at the end of the
program (although it is good practice to have a catch all rule at the end
for readability).

Well, as I said, I'm a complete squid newbie (but I just read the
documentation carefully), so if I'm mistaken, please bear with me and just
correct me.

Michael. 

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Oct 17 2000 - 22:34:40 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:46 MST