Search squid archive

RE: [squid-users] Banning all other destinations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: johnsuth@xxxxxxxxxxxxx [mailto:johnsuth@xxxxxxxxxxxxx]
> Sent: Friday, February 11, 2005 5:26 AM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject: [squid-users] Banning all other destinations

SNIP

>  
> The dstdomain .gov denied .gov.au so I reverted to dstdom_regex although,
like the   
> California Democrats, I don't want the govenator. 
>  

This is possible:  

\.gov(\..*)?$ 

Will only match "*.gov" or "*.gov.*" but will not match "thegovenator.com".
On the other hand, it's a complex rule that will cause a hit on performance.
Perhaps using "dst_domain .gov .gov.au" would be a more exact solution.
I've made a couple of sugesstions below.  Then again, if it ain't broke...

> Interleaving works, and ANDing the ACLs in the rules makes the intent even
clearer. 

Excellent.  Clarity leads to functionality.

>  
> ACL is checked before getting from cache.

Good to know.  I was not aware of that previously. 
>  
> Squid goes out to the internet before getting cached pages, after a period
of idleness.  I   
> don't have a good handle on this. 

Usually to check whether the page has been modified (look for an IMS_HIT).

>  
> The last rule does what it says, not the inverse. 

The last rule does what it says.  If it is not an absolute, then the NEXT
(non-existent rule) is an absolute in the inverse.  So if your last
http_access rule is "http_access allow mylan" then the implied next rule is
"http_access deny all".  In the same vein, if the last rule is "http_access
deny badsites" then the next implied rule is "http_access allow all", hence
the suggestion to make the last rule explicit.

>  
> Changing the rules had some side effects. 
> 1) the 30 sec delay on shutdown started working and, after some more rule
changes,   
> stopped working.  It does not matter. 

Look for a "shutdown_lifetime" rule in your conf file.  If absent, Squid
should default to 30 seconds.

> 2) I now have access denied error messages, in Hebrew.  Perhaps it is
better that users   
> who try naughty things are baffled, rather than taunted by a
comprehensible message. 

Look for an "error_directory" rule.  This will point Squid to the directory
containing error messages.  The default is set at compile time.

>  
> Here are my rules:- 
>  
> #  TAG: acl 
>  
> #  TAG: http_access 
> acl all src 0.0.0.0/0.0.0.0 
> acl localnet src 192.168.100.0/24 
> acl OKdomains dstdom_regex -i .gov. .edu. .google.com.au 

acl OKdomains dstdom_regex -i \.gov\.? \.edu\.? \.google\.com\.au$

or

acl OKdomains dstdomain .gov .gov.au .edu .edu.au .google.com.au

> http_access allow localnet OKdomains 
> acl every dst 0.0.0.0/0.0.0.0 
> http_access deny every 
>  
> #  TAG: http_reply_access 
> http_reply_access allow localnet 
> http_access deny all 
>  
> I am inestimably grateful for your patience which has saved my life, well,
at least my   
> sanity. 

Glad to be of what help I can.

Chris

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux