Re: [SQU] ACL issue

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 15 Feb 2001 23:27:32 +0100

Ben Kadish wrote:
>
> Hello all,
>
> I can't seem to get my ACL's in order. I'm trying to accomplish the
> following: I want a very specific list of clients restricted from
> requesting anything other than what I want, and going through the same port
> as the rest of the world. Using an older version of Squid, we were running
> two processes with separate ports and separate config files, but this
> version doesn't want to let me run multiple instances (and why administer
> something in two places when you don't have to). Below are the relevant
> excerpts from my squid.conf file:
>
> acl alldst dst 0.0.0.0/0.0.0.0
> acl Denied src 172.16.29.2/255.255.0.0
>
> acl industrylinks1 dst www.ab-europe.co.uk www.acula.com [...]
> acl industrylinks2 dst [...]
> http_access allow industrylinks1 Denied
> http_access allow industrylinks2 Denied
> http_access deny alldst Denied
> http_access deny all (last "http_access" line)

And what problems do you have?

Recommendations:
a) Consider using the dstdomain ACL instead of dst.

acl industrylinks1 dstdomain .ab-europe.co.uk .acula.com [...]

(the .domain.name notation is to include all under the domain, not only
www.)

dstdomain is both faster and more reliable than dst.

b) you do not actually need the alldst acl type. The ruleset will be the
same without it except that it performs better... (especially so if you
have parents in the mix)

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Feb 15 2001 - 15:33:19 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:01 MST