Re: [squid-users] Hole in my thinking from Bobby on 2007-06-10 (squid-users)

From: Bobby <bobby@dont-contact.us>
Date: Sun, 10 Jun 2007 21:39:00 -0400

On Friday 08 June 2007 14:15:38 Chris Robertson wrote:

> Had I read more closely, I would have noticed "list of domains"
> regarding the dst ACL. That would cause problems. See below.
>
> >>> acl managers-src src "/etc/squid/T_managers"
> >>> acl managers-dst dst "/etc/squid/T_managers-http"
> >>> acl servers-src src "/etc/squid/T_servers"
> >>> acl servers-dst dst "/etc/squid/T_servers-http"
> >>> acl finance-src src "/etc/squid/T_finance"
> >>> acl finance-dst dst "/etc/squid/T_finance-http"
> >>> acl admins-src src "/etc/squid/T_admins"
> >>> acl admins-dst dst all
>
> SNIP
>
> >>> acl clients src 0.0.0.0/0.0.0.0
> >>> acl client-http dst 172.16.10.3
> >>>
> >>> http_access allow managers-src managers-dst
> >>> http_access allow operators-src operators-dst
> >>> http_access allow admins-src admins-dst
> >>> http_access allow servers-src servers-dst
> >>> http_access allow finance-src finance-dst
> >>> http_access allow clients client-http
> >>>
> >>> http_access deny all
> >>> http_reply_access deny all
>
> SNIP
>
> > In the end do you see any reason why operators can get out but not
> > servers?
> >
> > T_admins =
> > 172.16.10.15
> > 172.16.10.21
> > 172.16.10.25
> >
> > T_admins-http =
> > 0.0.0.0
> >
> > T_finance =
> > 172.16.10.146
> > 172.16.10.76
> >
> > T_finance-http =
> > adobe.com
> > amsouth.com
> > anywho.com
> > arin.net
>
> I don't see how anyone (other than the admins) is getting out (anywhere
> but 172.16.10.3). :o) The dst ACL is expecting an IP address. To use
> domains, you should be using dstdomain (and if you want to be
> permissive, you should lead each of those domains with a period,*).
>
> Chris
>
> * Prepending a period to the domain of a dstdomain ACL will match the
> domain and any sub domain. For example, acl dstdomain yahoo.com would
> not match www.yahoo.com, but acl dstdomain .yahoo.com would.

So you are saying that

acl managers-dst dst "/etc/squid/T_managers-http"

should really be

acl managers-dst dstdomain "/etc/squid/T_managers-http"

and in the -http files each domain should be prepended with a period?

-- 
Bobby

Received on Sun Jun 10 2007 - 21:36:14 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT