RE: how 2 setup multiple 'routes' thru squid-cache based on listener port?

"Chris Robertson" <crobertson@xxxxxxx> · Mon, 29 Aug 2005 16:56:46 -0800

> -----Original Message-----
> From: OpenMacNews [mailto:OpenMacNews@xxxxxxxxxxxxx]
> Sent: Monday, August 29, 2005 4:48 PM
> To: Chris Robertson
> Cc: squid-users@xxxxxxxxxxxxxxx
> Subject: RE:  how 2 setup multiple 'routes' thru
> squid-cache based on listener port?
> 
> 
> Hi Chris,
> 
> thx for the reply! =)
> 
> > Adding something like...
> >
> >    acl second_inport myport 7777
> >    always_direct allow second_inport
> >
> > ... above ...
> >
> >    never_direct allow all
> >
> > ... should allow clients accessing your proxy through port 
> 7777 to not use
> > the privoxy (and therefore the TOR network), while pushing 
> all other traffic
> > through the anonymizing network.
> 
> aha. the 'myport' condition ... grt!
> 
> ok.  if, per your suggestion, i do:
> 
>     acl second_inport myport        7777
> 
>     always_direct     allow         second_inport
>     never_direct      allow         all
> 
> ...
> 
> how would then subsequent conditions, e.g.:
> 
>     http_access       allow         localhost
>     http_access       allow         INTERNAL_LAN
> 
>     no_cache          deny          QUERY SSL_ports
>     http_access       deny          !Safe_ports
>     http_access       deny          CONNECT !SSL_ports
>     http_access       allow         PURGE localhost
>     http_access       deny          PURGE
>     http_access       allow         manager localhost
>     http_access       deny          manager
> 
> 
>     header_access   Allow                 allow   INTERNAL_LAN
>     header_access   Authorization         allow   INTERNAL_LAN
>     header_access   WWW-Authenticate      allow   INTERNAL_LAN
>     header_access   Cache-Control         allow   INTERNAL_LAN
>     header_access   Content-Encoding      allow   INTERNAL_LAN
>     ...
> 
> , associated with the port 8888 anonymization route be 
> applied ONLY for that 
> route, and NOT the port 7777 'pass-thru'?
> 
> i'm guessing this will require creating ACLs of the correct 
> type(s), and 
> logically JOINing them ...
> 
> i.e., effectively:
> 
>     header_access   Allow                 allow   (INTERNAL_LAN AND 
> !second_inport)
> 
> but, so far, I haven't figured out how to do the boolean 
> logic (still digging 
> tho ...)
> 
> thx! & cheers,
> 
> richard
>  
> 

http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

To summarise (sic) the acl logics can be described as:

        http_access allow|deny acl AND acl AND ...
            OR
        http_access allow|deny acl AND acl AND ...
            OR
        ...

So "header_access Allow allow INTERNAL_LAN !second_inport" should not strip the Allow header for those people connecting to port 7777, but should strip it for anyone else.  I would suggest, however, testing this.

Chris