Re: [squid-users] Peer Review of my ACL's

From: Henrik Nordstrom <>
Date: Wed, 25 Feb 2004 17:25:06 +0100 (CET)

On Wed, 25 Feb 2004, Eric Kahklen wrote:

> As I understand ACL's, squid uses OR logic when checking the ACL
> values. Squid only searches until it finds a match in the ACL then
> stops. The access rules are different, they use AND logic and combine
> all the ACL's in the list. If none of the access rules are matched, the
> default response is the exact opposite of the last rule.


> So for example:
> acl mynetwork src
> http_access allow mynetwork
> This would only allow the subnet, and by default it would
> DENY anything else since it wouldn't match the acl - mynetwork.


> I got confused by one in Wessels book:
> acl All src 0/0
> acl Bob ident bob
> http_access allow Bob
> http_access deny All
> First if the ident wasn't matched with bob, they would be denied.

No, the first rule only says that if the ident is bob he will be allowed.

If the ident is not bob the first http_access line does nothing and Squid
continues to the next http_access line.

> Then if it wasn't ident traffic, they'd be denied for everything else?

The second line says everything not matched above is denied.

The AND is when you have multiple acls on the same http_access line

acl mynetwork src
acl Bob ident bob
http_access allow mynetwork Bob

will allow the request if the source IP is in the network
AND the ident is "bob".

Received on Wed Feb 25 2004 - 09:25:11 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST