Re: [squid-users] acl and never_direct

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Mon, 24 Oct 2005 06:48:07 -0700 (PDT)

On Sun, 23 Oct 2005, Henrik Nordstrom wrote:

>
>
> On Sat, 22 Oct 2005, Merton Campbell Crockett wrote:
>
> > The problem that I am having is that HTTP requests that use an IP address
> > are being forwarded to the parent cache. Can you not combine "dstdomain"
> > and "dst" in the same acl?
>
> You can use IP addresses in a dstdomain acl if you like. This will match
> requests using these explicit IP addresses only.

That works. I was hoping for something like tcpwrapper's host.allow IP
address wildcards, i.e. "166.16.".

> Or you could use dst acls in addition to the dstdomain acls.

The problem was how to merge "dst" and "dstdomain" expressions into a
single named but, in retrospect, it was probably a simple matter of
listing the named ACLs on a single line to "OR" them together. Squid
doesn't like two different types of expressions in the same named ACL.

After a weekend of playing, I could find no possible way for my internal,
load-balanced proxy servers to share cached information without forwarding
all requests to the parent proxy at the security perimeter. I would need
a fourth proxy, defined as a parent, dedicated to the corporate WAN.
Bummer!

Merton Campbell Crockett

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard
Received on Mon Oct 24 2005 - 07:52:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:05 MST