Re: [squid-users] url_regex & acceleration mode

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 10 Mar 2003 16:43:35 +0100

mån 2003-03-10 klockan 15.51 skrev Hawk:
> Sorry for boring you again...this my confs:
>
> acl vdlhttp url_regex -i www.mysite.com/vdl dst_port 80

this matches case sensitive URL having any of the substrings "www[any
character]mysite[any character]com/vdl", "dst_port" or "80" in them.
Probably not what you want..

> http_access deny vdlhttp
> http_access allow all
> httpd_accel_port 80
> httpd_accel_host virtual
> httpd_accel_single_host off
> httpd_accel_uses_host_header on
>
> with this configuration both https & http for that sites are denied

what you want is

acl vdl urlpath_regex ^/vdl
acl mysite dstdomain www.mysite.com
acl http_port_80 myport 80
http_access deny mysite vdl http_port_80

Another important note:

You do not want to run a accelerator with "http_access allow all".. You
MUST set up access controls on which destinations may be reached via the
accelerator. If not your accelerator can easily be abused as an open
proxy, bouncing via the accelerator to any server on on the Internet. It
is only a matter of minutes before such openly configured accelerator is
found and abused by hackers for purposes you absolutely have not
intended when setting up the accelerator..

Instead of http_access allow all you want something like this in an
accelerator:

acl my_sites dstdomain www.mysite.com www.myothersite.com ...
acl port80 port 80
acl http protocol http
http_access allow my_sites http port80

If the list of sites is long use an include file

acl my_sites dstdomain "/path/to/accelerated_sites.txt"

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Mon Mar 10 2003 - 08:43:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:59 MST