Nicole Haehnel wrote:
> we're having a problem with dstdomain and http_access.
> We only allow some domains to be accessed by the users,
> but if we want to allow an ip address instead of a domain name
> it's not working anymore.
> Why do users get denied, if they try to access the ip?
Because Squid when matching a dstdomain ACL and seeing an IP in the URL
(not the acl) it then does a reverse lookup of the IP. If the IP is
reverse lookup registered then the registered name is used for dstdomain
processing. This to limit the possibility for users to bypass dstdomain
rules by instead using the sites IP addresses..
If you do not want Squid to play with reverse lookups of IP addresses,
then you can use the url_regex ACL type instead.
acl special_ip_site url_regex ^http://149\.239\.160\.196(/|)
http_access allow surf_small special_ip_site
Regards
Henrik Nordström
Squid Hacker
Received on Wed Oct 31 2001 - 10:59:36 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:15 MST