On Wed, 30 Sep 2009 09:46:04 +0800, "wangwen" <wangw330_at_126.com> wrote:
> Hi All.
>
> I have my question about the use of “acl port ” in squid.conf.
>
> Generally the proxy has the following three cases:
>
> 1. Standard proxy cache server: In order to realize this approach, We
must
> indicate the Ip and port of proxy server in the browser of everyone
> internal
> host.
>
> 2. Transparent proxy cache server: The transparent cache intercepts
network
> traffic, filters HTTP traffic (on port 80), and handles the request if
the
> item is in the cache.
>
> 3. Reverse proxy cache server: It usually listen in 80 port to accept
> client
> request. When guests accessing proxy server, they will just feel like
> visiting backend server.User can't feel backend server here.
>
>
> In the first case: Entering “IP:port” in the browser we can access any
> website. According to IP address and port in the browser, Proxy server
> control user access. In this case we can use “acl port” in squid.conf to
> control access.
>
> In the second case: Entering “IP:port” in the browser we can access any
> website. But the request URL which not include port 80 will not be sent
to
> proxy server. I think that “acl port” is useless In this case.
>
> In the third case: Entering “IP of reverse proxy server:port” in the
> browser we can access backend server. I think that “acl port” is useless
> In this case.
>
> From what we analyzed before,”acl port” only takes effect in the first
> case, or is it? If it is not, Can anybody give me some example using “acl
> port” in another cases?
>
> Thank you.
When referring to the receiving http_port in squid prefer the myportname
feature. All other port ACL types are unreliable in some modes.
ACL type "port" - refers to the client destination port when on normal
proxy mode. Reverse proxy mode this is the client destination port
(provided NAT and load balancers have not been involved anywhere down the
chain) which should usually be 80, but may be some other squid receiving
accel port if used by web apps or altered by intermediate devices/software.
ACL type "myport" - refers to squid receiving port. Reverse proxy mode
expect this to be identical to the above (aka client destination port) when
in reverse proxy mode. Usable in forward and reverse proxy mode for
non-standard or multiple proxy listening ports.
NOTE: _neither_ of these above methods works reliably in transparent mode.
The IP:port for both squid and the client and the client destination are
volatile based on system NAT capabilities. OR if they are reliably set
should always be 80. Every install combo with operating system, firewall,
NAT engine and Squid version needs to be tested to see what the ACL
matches. TPROXY interception also faces the same problems with even weirder
behavior, setting "myport" to the client source port which should be
completely random and unusable.
ACL type "myportname" - refers to the squid receiving port by explicit name
in all modes.
Amos
Received on Wed Sep 30 2009 - 02:29:31 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 30 2009 - 12:00:03 MDT