Re: [squid-users] url_regex & acceleration mode from Hawk on 2003-03-10 (squid-users)

From: Hawk <black.hawk@dont-contact.us>
Date: Mon, 10 Mar 2003 16:58:30 +0100

Henrik,

it doesn't work :-(

Anyway i forgot to paste this acl lines:

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny vdlsite vdlhttp http_port_80
http_access allow all

This because this squid should be my acceleration for my internet web sites.

However changing conf as you told me doesn't work yet.

In this way www.mysite.com/vdl is never blocked (http or https).

Thanks

Rick

At 16.43 10/03/2003, Henrik Nordstrom wrote:
>mån 2003-03-10 klockan 15.51 skrev Hawk:
> > Sorry for boring you again...this my confs:
> >
> > acl vdlhttp url_regex -i www.mysite.com/vdl dst_port 80
>
>this matches case sensitive URL having any of the substrings "www[any
>character]mysite[any character]com/vdl", "dst_port" or "80" in them.
>Probably not what you want..
>
> > http_access deny vdlhttp
> > http_access allow all
> > httpd_accel_port 80
> > httpd_accel_host virtual
> > httpd_accel_single_host off
> > httpd_accel_uses_host_header on
> >
> > with this configuration both https & http for that sites are denied
>
>
>what you want is
>
>acl vdl urlpath_regex ^/vdl
>acl mysite dstdomain www.mysite.com
>acl http_port_80 myport 80
>http_access deny mysite vdl http_port_80
>
>
>Another important note:
>
>You do not want to run a accelerator with "http_access allow all".. You
>MUST set up access controls on which destinations may be reached via the
>accelerator. If not your accelerator can easily be abused as an open
>proxy, bouncing via the accelerator to any server on on the Internet. It
>is only a matter of minutes before such openly configured accelerator is
>found and abused by hackers for purposes you absolutely have not
>intended when setting up the accelerator..
>
>Instead of http_access allow all you want something like this in an
>accelerator:
>
>acl my_sites dstdomain www.mysite.com www.myothersite.com ...
>acl port80 port 80
>acl http protocol http
>http_access allow my_sites http port80
>
>
>If the list of sites is long use an include file
>
>acl my_sites dstdomain "/path/to/accelerated_sites.txt"
>
>
>--
>Henrik Nordstrom <hno@squid-cache.org>
>MARA Systems AB, Sweden
Received on Mon Mar 10 2003 - 08:58:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:59 MST