Re: [squid-users] Access restrictions for accelerator mode / hosts line?

From: Karl Pielorz <kpielorz@dont-contact.us>
Date: Tue, 11 Feb 2003 10:55:42 +0000

--On 11 February 2003 21:10 +1100 Robert Collins <robertc@squid-cache.org>
wrote:

> ...
> default rules here
> ...
>
> acl mybackend dst 192.168.50.50
> http_access allow mybackend
> http_access deny all
>
> Rob

This nets a "The requested URL could not be retrieved ... Accesss Denied"
being sent back to the client.

At the moment, I have www2.examplesite.com pointing to the accelerator -
and I'm using a director to re-write that to 'www.examplesite.com' (So I
can leave the original server alone until the accelerator is sorted out - I
should have said that before).

If I add:

acl mybackend dst 10.0.0.1 <- IP address of the accelerator
                              i.e. that www2.examplesite.com points to

It seems to work Ok.

If I submit a fake 'GET' with a host: header of www.intel.com - I get an
access denied back.

One interesting thing (which may have been tripping me up before) - If I
get the redirector code to change 'www2.examplesite.com' into
'www.intel.com' - Squid will honor the request, and go fetch intel's page -
even though a faked:

GET / HTTP/1.1
Host: www.intel.com

Nets an "Access Denied" response to the client. This would seem to indicate
that the ACL is applied before the headers are passed through the
redirector.

I think the end result is safe enough though. Thanks for your gentle guide
back in the right direction :)

Regards,

-Karl
Received on Tue Feb 11 2003 - 03:55:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:18 MST