Search squid archive

Re: Hole in my thinking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Friday 08 June 2007 14:15:38 Chris Robertson wrote:

> Had I read more closely, I would have noticed "list of  domains"
> regarding the dst ACL.  That would cause problems.  See below.
>
> >>> acl managers-src src "/etc/squid/T_managers"
> >>> acl managers-dst dst "/etc/squid/T_managers-http"
> >>> acl servers-src src "/etc/squid/T_servers"
> >>> acl servers-dst dst "/etc/squid/T_servers-http"
> >>> acl finance-src src "/etc/squid/T_finance"
> >>> acl finance-dst dst "/etc/squid/T_finance-http"
> >>> acl admins-src src "/etc/squid/T_admins"
> >>> acl admins-dst dst all
>
> SNIP
>
> >>> acl clients src 0.0.0.0/0.0.0.0
> >>> acl client-http dst 172.16.10.3
> >>>
> >>> http_access allow managers-src managers-dst
> >>> http_access allow operators-src operators-dst
> >>> http_access allow admins-src admins-dst
> >>> http_access allow servers-src servers-dst
> >>> http_access allow finance-src finance-dst
> >>> http_access allow clients client-http
> >>>
> >>> http_access deny all
> >>> http_reply_access deny all
>
> SNIP
>
> > In the end do you see any reason why operators can get out but not
> > servers?
> >
> > T_admins =
> > 172.16.10.15
> > 172.16.10.21
> > 172.16.10.25
> >
> > T_admins-http =
> > 0.0.0.0
> >
> > T_finance =
> > 172.16.10.146
> > 172.16.10.76
> >
> > T_finance-http =
> > adobe.com
> > amsouth.com
> > anywho.com
> > arin.net
>
> I don't see how anyone (other than the admins) is getting out (anywhere
> but 172.16.10.3).  :o)  The dst ACL is expecting an IP address.  To use
> domains, you should be using dstdomain (and if you want to be
> permissive, you should lead each of those domains with a period,*).
>
> Chris
>
> * Prepending a period to the domain of a dstdomain ACL will match the
> domain and any sub domain.   For example, acl dstdomain yahoo.com would
> not match www.yahoo.com, but acl dstdomain .yahoo.com would.

So you are saying that 

	acl managers-dst dst "/etc/squid/T_managers-http"

should really be

	acl managers-dst dstdomain "/etc/squid/T_managers-http"

and in the -http files each domain should be prepended with a period?



-- 

Bobby
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux