Re: [squid-users] ACL compisition from Paolo Supino on 2012-02-20 (squid-users)

From: Paolo Supino <paolo.supino_at_gmail.com>
Date: Mon, 20 Feb 2012 12:58:40 +0100

Hi Matus

All my other http_access rules are either based on a single "acl src",
"acl dst" (and variants) or "acl src, acl dst". The question (and not
a problem) is whether I can have a http_access rule that is built from
a: "acl src, acl dst and acl port"?

Anyhow Amos Jeffries replied me in private and taught me that it can be done...

TIA
Paolo

On Sun, Feb 19, 2012 at 1:13 PM, Matus UHLAR - fantomas
<uhlar_at_fantomas.sk> wrote:
>>> On 16.02.12 15:51, Paolo Supino wrote:
>>>>
>>>> I have the following scenario: I have a subnet that needs to get out
>>>> on the internet to 2 different subnets. To subnet1 it needs to be able
>>>> to access only in HTTP while to subnet2 it needs to be able to access
>>>> only in HTTPS. Is it possible to do the follwoing:
>>>>
>>>> acl source_subnet src 192.168.100.0/255.255.255.0
>>>> acl destination_subnet1 dst 172.16.0.0/255.255.0.0
>>>> acl destination_subnet2 dst 172.31.0.0/255.255.0.0
>>>> acl HTTP_PORT port 80
>>>> acl SSL_PORT port 443
>>>>
>>>> http_access allow source_subnet destination_subnet1 HTTP_PORT
>>>> http_access allow source_subnet destination_subnet2 SSL_PORT
>
>
>> On Fri, Feb 17, 2012 at 9:55 AM, Matus UHLAR - fantomas
>> <uhlar_at_fantomas.sk> wrote:
>>>
>>> do you have any other http_access directives in the config?
>
>
> On 17.02.12 14:34, Paolo Supino wrote:
>>
>> Yes I have a few http_access rules in my squid.conf (7 to be
>> precise), but I can't fold this ACL into the other ACLs I have (I
>> would have done it if I could).
>
>
> and what exactly is your problem? is other access to those two also allowed?
> Or is the access you need denied?
> For the former case, you are allowing access but you are not denying
> anything, or at least not with these directives. That might be your problem.
>
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Windows 2000: 640 MB ought to be enough for anybody
Received on Mon Feb 20 2012 - 11:58:49 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 20 2012 - 12:00:04 MST