Re: [squid-users] R: [squid-users] Blocking sites on IP address

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 7 Jan 2002 21:52:52 +0100

On Monday 07 January 2002 20.43, Allan Lyons wrote:

> The short answer is maybe. With name based virtual hosting, there might
> be many web sites that share the same IP address. The server "knows"
> which site to return since the site name is supposed to be included with
> the request. If this is the case with the site you are trying to
> block, then the site won't normally be reachable by using the IP since
> the server won't know which site the user is trying to access. (In this
> case, Apache seems to default to the first site found in its config
> file.)
>
> On the other hand, more popular sites will have multiple IPs with the
> same name since there are multiple servers. If you are trying to block
> one of these by IP number, you will have to make sure that you include
> all of the IP numbers. For example, today www.cnn.com and
> www.hotmail.com both have 6 IP numbers each.

What Squid does to help you is that if the client is requesting an IP
address AND the site has registered the reverse DNS lookup of their IP to
return the site name, then Squid will use the site name in the ACL check
even if the client requested by IP.

If the site hasn't revistered the reverse DNS lookup of their IP
address(es), or it is registered as something else, then this obviously is
of no help to Squid doman based access controls (dstdomain) and you will
need to use IP based access controls (dst) listing all possible IP
addresses you want to block access to.

-- 
MARA Systems AB, Giving you basic free Squid support
Customized solutions, packaged solutions and priority support
available on request
Received on Mon Jan 07 2002 - 14:20:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:40 MST