Search squid archive

[squid-users] ACL defaults

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Date: Sat, 5 Feb 2005 23:26:41 +0100 (CET) 
From: Henrik Nordstrom <hno@xxxxxxxxxxxxxxx> 
To: Martin Joseph <mercedes@xxxxxxxxxxxxxxxxxx> 
Cc: Squid Users <squid-users@xxxxxxxxxxxxxxx> 
Subject: Re: [squid-users] ACL defaults 
    
On Sat, 5 Feb 2005, Martin Joseph wrote: 
   
>> If you have http_access lines but none matches the request the action the  
>> opposite of your last http_access rule. 
> 
> Wouldn't it make more sense for squid to DENY any requests after finishing  
> with the ACL list, thus forcing people to explicitly enable the access they  
> want to allow? 
 
Yes and no. There is many ways of doing access lists. 
 
With the current design you can easily do either 
 
deny everything which is not allowed 
 
or 
 
allow only what is allowed 
 
and the result will be what you intended. 
 
 
Most people find it easier with explicit rules and is why the  
suggested standard configuration shipped with Squid looks like (in order) 
 
1. limit cachemgr access 
 
2. deny abuse 
 
3. allow your clients to use the proxy 
 
4. deny everything else 
----------------------------------- 
 
I can't speak for other people, but I am using Squid in conjunction with a deny by default   
firewall to limit access to the www.  I see no rules in the standard http_access tag which   
limit access to destinations. 
 
The last rule, "deny all" looks like it limits access to destinations, but a clever lawyer or   
computer programmer can deduce that "all" refers to clients, not destinations. 
 
Getting back to the English (the docs may be different in other languages), you have not   
suggested why the word "deny" is used in your item 4 when the action is to allow all   
clients not previously denied. 
 


John Sutherland
Phone & Fax +61 2 4683 1511 
9 Meryla Street, Couridjah NSW 2571 Australia

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux