Hi Amos Thank you for your help I removed the to_all from_all as suggested by pandu, it's working. On 02/01/2011 01:56 PM, Amos Jeffries wrote: >> is not matching in this case, because the domain resolving did not >> return an ip address. so the request is still the domain name and squid >> is comparing the domain name with 0/0, which will not match. > > What version of Squid is this? The dst ACL has been long fixed not to > use strings at all but to test the numeric values and return fail on > unresolvables without any comparisons happening. version is 2.6, right now. (surely we will upgrade in future) good to know that this changes. >> Ok, so i tried to solve by adding these rules: >> acl to_alldomain dstdom_regex .* >> http_access allow from_all within_timeframe_rule1 to_alldomain >> This actually is working, but it seems quite an overhead to me. > > Yes it does seem overly complex. Lets look at the parts... > > * from_all ... if the request comes from a machine with an IPv4 address > (0.0.0.0 'self' included). > > Since the only way to reach Squid is via IP transport... > In all Squid older than 3.1 this equates to "true". > In 3.1 the ACL should be defined "src ipv4" and thinking of it as "all" > the network is wrong. thank you for this information. much appreciated for when we upgrade. we have to change a lot i think. > * to_alldomain ... if true. every request will match this so you will > get the same behaviour by removing it entirely. i did that now. it's working. thank you! peter -- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: peter@xxxxxxxxxx
