On Wed, 30 Sep 2009 09:46:04 +0800, "wangwen" <wangw330@xxxxxxx> wrote: > Hi All. > > I have my question about the use of “acl port ” in squid.conf. > > Generally the proxy has the following three cases: > > 1. Standard proxy cache server: In order to realize this approach, We must > indicate the Ip and port of proxy server in the browser of everyone > internal > host. > > 2. Transparent proxy cache server: The transparent cache intercepts network > traffic, filters HTTP traffic (on port 80), and handles the request if the > item is in the cache. > > 3. Reverse proxy cache server: It usually listen in 80 port to accept > client > request. When guests accessing proxy server, they will just feel like > visiting backend server.User can't feel backend server here. > > > In the first case: Entering “IP:port” in the browser we can access any > website. According to IP address and port in the browser, Proxy server > control user access. In this case we can use “acl port” in squid.conf to > control access. > > In the second case: Entering “IP:port” in the browser we can access any > website. But the request URL which not include port 80 will not be sent to > proxy server. I think that “acl port” is useless In this case. > > In the third case: Entering “IP of reverse proxy server:port” in the > browser we can access backend server. I think that “acl port” is useless > In this case. > > From what we analyzed before,”acl port” only takes effect in the first > case, or is it? If it is not, Can anybody give me some example using “acl > port” in another cases? > > Thank you. When referring to the receiving http_port in squid prefer the myportname feature. All other port ACL types are unreliable in some modes. ACL type "port" - refers to the client destination port when on normal proxy mode. Reverse proxy mode this is the client destination port (provided NAT and load balancers have not been involved anywhere down the chain) which should usually be 80, but may be some other squid receiving accel port if used by web apps or altered by intermediate devices/software. ACL type "myport" - refers to squid receiving port. Reverse proxy mode expect this to be identical to the above (aka client destination port) when in reverse proxy mode. Usable in forward and reverse proxy mode for non-standard or multiple proxy listening ports. NOTE: _neither_ of these above methods works reliably in transparent mode. The IP:port for both squid and the client and the client destination are volatile based on system NAT capabilities. OR if they are reliably set should always be 80. Every install combo with operating system, firewall, NAT engine and Squid version needs to be tested to see what the ACL matches. TPROXY interception also faces the same problems with even weirder behavior, setting "myport" to the client source port which should be completely random and unusable. ACL type "myportname" - refers to the squid receiving port by explicit name in all modes. Amos