On Wed, 25 Feb 2004, Eric Kahklen wrote:
> As I understand ACL's, squid uses OR logic when checking the ACL
> values. Squid only searches until it finds a match in the ACL then
> stops. The access rules are different, they use AND logic and combine
> all the ACL's in the list. If none of the access rules are matched, the
> default response is the exact opposite of the last rule.
Yes.
>
> So for example:
>
> acl mynetwork src 192.168.1.0
> http_access allow mynetwork
>
> This would only allow the 192.168.1.0 subnet, and by default it would
> DENY anything else since it wouldn't match the acl - mynetwork.
Yes.
>
> I got confused by one in Wessels book:
>
> acl All src 0/0
> acl Bob ident bob
> http_access allow Bob
> http_access deny All
>
> First if the ident wasn't matched with bob, they would be denied.
No, the first rule only says that if the ident is bob he will be allowed.
If the ident is not bob the first http_access line does nothing and Squid
continues to the next http_access line.
> Then if it wasn't ident traffic, they'd be denied for everything else?
The second line says everything not matched above is denied.
The AND is when you have multiple acls on the same http_access line
acl mynetwork src 192.168.1.0/24
acl Bob ident bob
http_access allow mynetwork Bob
will allow the request if the source IP is in the 192.168.1.0/24 network
AND the ident is "bob".
Regards
Henrik
Received on Wed Feb 25 2004 - 09:25:11 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST