The main logic in a nutshell:
acl: elements are ORed (be it a single line, multiple line or file)
http_access: a single line's acl elements are ANDed and if matched, you
get a final allow or deny depending what your line says. If there is no
match, check goes to the next line.
In your case:
http_access allow msnmessenger
Does the url contain the case insensitive regex "gateway.dll"? If yes
allow connection. This will let through your MSN connections _and_
everything that looks similar (see example in previous mail).
Anything that is not mached by the above goes on to the next rule:
http_access allow msnURL
Is the destination in the list of the given domains? If yes allow
connection. (This includes www.msn.com site browsing for instance).
Both of your rules are enough to let msn through but in this separate
way you have it like this:
- Probably all msn requests are allowed on the first rule and the second
one does nothing.
- You open up a lot of possible requests unauthenticated and also
bypassing possible filters you have after these.
Regards
Bgs
mbaki@xxxxxxxxxxxxxxxx wrote:
Thanks for the tip.
I thought having the 2 rules seperately is equivalent to merging them in 1
line, now I know.
So how does squid now interpret "http_access allow msnmessenger msnURL"
Thank you
The http_access should look like this:
http_access allow msnmessenger msnURL
The two separate lines mean that you allow all kind of connections to
the listed domains and you also allow all connections that have
gateway.dll in the url (non msnURL sites too).
For example you can browse msn.com without auth and you can also
download http://haxx0r.net/gateway.dll/botnet-client-install.exe :D
Regards
Bgs
Monah Baki wrote:
I think I got it, I am able to connect once I added in my squid.conf the
following
acl msnmessenger url_regex -i gateway.dll
acl msnURL dstdomain .passport.com
acl msnURL dstdomain .live.com
acl msnURL dstdomain .msn.com
http_access allow msnmessenger
http_access allow msnURL
This works on my MAC OS X, will test on windows.
On Mar 9, 2008, at 10:30 AM, Monah Baki wrote:
Hi all,
I'm running squid with authentication, and my users are running IE.
Of-course once they enable proxy in IE setting, MSN no longer works. I
read by using the dstdomain before authentication in your squid.conf,
users are able to use MSN messenger without manually adding the
username and proxy in their MSN setting.
What's the syntax for this in squid.conf
Thank you
BSD Networking, Microsoft Notworking
BSD Networking, Microsoft Notworking
