> -----Original Message----- > From: johnsuth@xxxxxxxxxxxxx [mailto:johnsuth@xxxxxxxxxxxxx] > Sent: Friday, February 11, 2005 5:26 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: [squid-users] Banning all other destinations SNIP > > The dstdomain .gov denied .gov.au so I reverted to dstdom_regex although, like the > California Democrats, I don't want the govenator. > This is possible: \.gov(\..*)?$ Will only match "*.gov" or "*.gov.*" but will not match "thegovenator.com". On the other hand, it's a complex rule that will cause a hit on performance. Perhaps using "dst_domain .gov .gov.au" would be a more exact solution. I've made a couple of sugesstions below. Then again, if it ain't broke... > Interleaving works, and ANDing the ACLs in the rules makes the intent even clearer. Excellent. Clarity leads to functionality. > > ACL is checked before getting from cache. Good to know. I was not aware of that previously. > > Squid goes out to the internet before getting cached pages, after a period of idleness. I > don't have a good handle on this. Usually to check whether the page has been modified (look for an IMS_HIT). > > The last rule does what it says, not the inverse. The last rule does what it says. If it is not an absolute, then the NEXT (non-existent rule) is an absolute in the inverse. So if your last http_access rule is "http_access allow mylan" then the implied next rule is "http_access deny all". In the same vein, if the last rule is "http_access deny badsites" then the next implied rule is "http_access allow all", hence the suggestion to make the last rule explicit. > > Changing the rules had some side effects. > 1) the 30 sec delay on shutdown started working and, after some more rule changes, > stopped working. It does not matter. Look for a "shutdown_lifetime" rule in your conf file. If absent, Squid should default to 30 seconds. > 2) I now have access denied error messages, in Hebrew. Perhaps it is better that users > who try naughty things are baffled, rather than taunted by a comprehensible message. Look for an "error_directory" rule. This will point Squid to the directory containing error messages. The default is set at compile time. > > Here are my rules:- > > # TAG: acl > > # TAG: http_access > acl all src 0.0.0.0/0.0.0.0 > acl localnet src 192.168.100.0/24 > acl OKdomains dstdom_regex -i .gov. .edu. .google.com.au acl OKdomains dstdom_regex -i \.gov\.? \.edu\.? \.google\.com\.au$ or acl OKdomains dstdomain .gov .gov.au .edu .edu.au .google.com.au > http_access allow localnet OKdomains > acl every dst 0.0.0.0/0.0.0.0 > http_access deny every > > # TAG: http_reply_access > http_reply_access allow localnet > http_access deny all > > I am inestimably grateful for your patience which has saved my life, well, at least my > sanity. Glad to be of what help I can. Chris
