The main logic in a nutshell:
acl: elements are ORed (be it a single line, multiple line or file)
http_access: a single line's acl elements are ANDed and if matched, you
get a final allow or deny depending what your line says. If there is no
match, check goes to the next line.
In your case:
http_access allow msnmessenger
Does the url contain the case insensitive regex "gateway.dll"? If yes
allow connection. This will let through your MSN connections _and_
everything that looks similar (see example in previous mail).
Anything that is not mached by the above goes on to the next rule:
http_access allow msnURL
Is the destination in the list of the given domains? If yes allow
connection. (This includes www.msn.com site browsing for instance).
Both of your rules are enough to let msn through but in this separate
way you have it like this:
- Probably all msn requests are allowed on the first rule and the second
one does nothing.
- You open up a lot of possible requests unauthenticated and also
bypassing possible filters you have after these.
Regards
Bgs
mbaki@osisolutions.com wrote:
> Thanks for the tip.
>
> I thought having the 2 rules seperately is equivalent to merging them in 1
> line, now I know.
>
> So how does squid now interpret "http_access allow msnmessenger msnURL"
>
> Thank you
>
>
>
>> The http_access should look like this:
>>
>> http_access allow msnmessenger msnURL
>>
>> The two separate lines mean that you allow all kind of connections to
>> the listed domains and you also allow all connections that have
>> gateway.dll in the url (non msnURL sites too).
>>
>> For example you can browse msn.com without auth and you can also
>> download http://haxx0r.net/gateway.dll/botnet-client-install.exe :D
>>
>>
>> Regards
>> Bgs
>>
>>
>> Monah Baki wrote:
>>> I think I got it, I am able to connect once I added in my squid.conf the
>>> following
>>>
>>> acl msnmessenger url_regex -i gateway.dll
>>> acl msnURL dstdomain .passport.com
>>> acl msnURL dstdomain .live.com
>>> acl msnURL dstdomain .msn.com
>>> http_access allow msnmessenger
>>> http_access allow msnURL
>>>
>>>
>>> This works on my MAC OS X, will test on windows.
>>>
>>>
>>> On Mar 9, 2008, at 10:30 AM, Monah Baki wrote:
>>>
>>>> Hi all,
>>>>
>>>> I'm running squid with authentication, and my users are running IE.
>>>> Of-course once they enable proxy in IE setting, MSN no longer works. I
>>>> read by using the dstdomain before authentication in your squid.conf,
>>>> users are able to use MSN messenger without manually adding the
>>>> username and proxy in their MSN setting.
>>>>
>>>> What's the syntax for this in squid.conf
>>>>
>>>>
>>>> Thank you
>>>>
>>>> BSD Networking, Microsoft Notworking
>>>>
>>>>
>>>>
>>>
>>>
>>> BSD Networking, Microsoft Notworking
>>>
>>>
>>>
>
>
Received on Mon Mar 10 2008 - 08:08:59 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT