On 20/01/2017 3:01 p.m., creditu wrote: > Had a question about dst and dstdomain acls. Given the sample below: > > http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost > acl www dstdomain www.example.com dev.example.com > cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver > round-robin > cache_peer_access 10.10.10.1 allow www > cache_peer_access 10.10.10.1 deny all > ....... > http_access allow www > http_access deny all > > When someone tries to access the site by specifying an IP > (192.168.100.1) instead of the name the client gets a standard access > denied squid page. What is the rDNS for 192.168.100.1 ? The dstdomain you have configured only the exact two domains listed to match. > It seems that a separate acl needs to be defined for > when someone tries to access the site using an IP? For instance: > acl dst www_ip 192.168.100.1 You could add the raw-IP to the www ACL: acl www dstdomain -n 192.168.100.1 ... but what will 10.10.10.1 do when asked for the site hosted at 192.168.100.1 ? > > If we wanted to pass to the backend we would need to add a extra > cache_peer_access statement > cache_peer_access 10.10.10.1 allow www_ip > > Then add: > http_access allow www_ip > > Is that correct? Not for matching raw-IP. The dst will match also for any domain name that resolves to the IP given. If you want an ACL that matches the textual representation of the raw-IP you need to use dsdomain with the -n (no DNS lookup) flag, or the dstdom_regex type. > If we wanted to not allow IP based requests we would > still define the acl and use a http_access deny www_ip and then use > deny_info to redirect or send a TCP Reset? That is another way, and somewhat better than just accepting the raw-IP URLs to the backend server. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
