Re: [squid-users] Squid "acl port"

I got it,Thanks for your replies.

----- Original Message -----
From: "Amos Jeffries" <squid3_at_treenet.co.nz>
To: "wangwen" <wangw330_at_126.com>
Cc: <squid-users_at_squid-cache.org>
Sent: Wednesday, September 30, 2009 10:29 AM
Subject: Re: [squid-users] Squid "acl port"

> On Wed, 30 Sep 2009 09:46:04 +0800, "wangwen" <wangw330_at_126.com> wrote:
>> Hi All.
>>
>> I have my question about the use of “acl port ” in squid.conf.
>>
>> Generally the proxy has the following three cases:
>>
>> 1. Standard proxy cache server: In order to realize this approach, We
> must
>> indicate the Ip and port of proxy server in the browser of everyone
>> internal
>> host.
>>
>> 2. Transparent proxy cache server: The transparent cache intercepts
> network
>> traffic, filters HTTP traffic (on port 80), and handles the request if
> the
>> item is in the cache.
>>
>> 3. Reverse proxy cache server: It usually listen in 80 port to accept
>> client
>> request. When guests accessing proxy server, they will just feel like
>> visiting backend server.User can't feel backend server here.
>>
>>
>> In the first case: Entering “IP:port” in the browser we can access any
>> website. According to IP address and port in the browser, Proxy server
>> control user access. In this case we can use “acl port” in squid.conf
>> to
>> control access.
>>
>> In the second case: Entering “IP:port” in the browser we can access any
>> website. But the request URL which not include port 80 will not be sent
> to
>> proxy server. I think that “acl port” is useless In this case.
>>
>> In the third case: Entering “IP of reverse proxy server:port” in the
>> browser we can access backend server. I think that “acl port” is
>> useless
>> In this case.
>>
>> From what we analyzed before，”acl port” only takes effect in the first
>> case, or is it? If it is not, Can anybody give me some example using
>> “acl
>> port” in another cases?
>>
>> Thank you.
>
> When referring to the receiving http_port in squid prefer the myportname
> feature. All other port ACL types are unreliable in some modes.
>
> ACL type "port" - refers to the client destination port when on normal
> proxy mode. Reverse proxy mode this is the client destination port
> (provided NAT and load balancers have not been involved anywhere down the
> chain) which should usually be 80, but may be some other squid receiving
> accel port if used by web apps or altered by intermediate
> devices/software.
>
> ACL type "myport" - refers to squid receiving port. Reverse proxy mode
> expect this to be identical to the above (aka client destination port)
> when
> in reverse proxy mode. Usable in forward and reverse proxy mode for
> non-standard or multiple proxy listening ports.
>
> NOTE: _neither_ of these above methods works reliably in transparent mode.
> The IP:port for both squid and the client and the client destination are
> volatile based on system NAT capabilities. OR if they are reliably set
> should always be 80. Every install combo with operating system, firewall,
> NAT engine and Squid version needs to be tested to see what the ACL
> matches. TPROXY interception also faces the same problems with even
> weirder
> behavior, setting "myport" to the client source port which should be
> completely random and unusable.
>
> ACL type "myportname" - refers to the squid receiving port by explicit
> name
> in all modes.
>
> Amos
>
>
Received on Wed Sep 30 2009 - 03:43:39 MDT