Search squid archive

Re: Dst and dstdomain ACLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 20, 2017, at 01:42 AM, Amos Jeffries wrote:
> On 20/01/2017 3:01 p.m., creditu wrote:
> > Had a question about dst and dstdomain acls.  Given the sample below:
> > 
> > http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost
> > acl www dstdomain www.example.com dev.example.com
> > cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver
> > round-robin
> > cache_peer_access 10.10.10.1 allow www
> > cache_peer_access 10.10.10.1 deny all
> > .......
> > http_access allow www
> > http_access deny all
> > 
> > When someone tries to access the site by specifying an IP
> > (192.168.100.1) instead of the name the client gets a standard access
> > denied squid page.
> 
> What is the rDNS for 192.168.100.1 ?

Shoot and thanks.  It's a rDNS issue.  We were using vport in a previous
config and it may have not been noticed because of that.

> 
> The dstdomain you have configured only the exact two domains listed to
> match.
> 
> >  It seems that a separate acl needs to be defined for
> > when someone tries to access the site using an IP?  For instance:
> > acl dst www_ip 192.168.100.1
> 
> You could add the raw-IP to the www ACL:
>  acl www dstdomain -n 192.168.100.1
> 
>  ... but what will 10.10.10.1 do when asked for the site hosted at
> 192.168.100.1 ?

10.10.10.1 doesn't allow it, so might as well stop at squid. So, is the
best way be to create an ACL and deny cache peer access then do
something with deny info?  Something like:

acl dstdomain -n 192.168.100.1
cache_peer_access 10.10.10.1 deny www_ip
....
deny_info http://.... www_ip
http_access deny www_ip

> 
> 
> >  
> > If we wanted to pass to the backend we would need to add a extra
> > cache_peer_access statement
> >  cache_peer_access 10.10.10.1 allow www_ip
> > 
> > Then add:
> > http_access allow www_ip
> > 
> > Is that correct?
> 
> Not for matching raw-IP. The dst will match also for any domain name
> that resolves to the IP given.
> 
> If you want an ACL that matches the textual representation of the raw-IP
> you need to use dsdomain with the -n (no DNS lookup) flag, or the
> dstdom_regex type.
> 
> >  If we wanted to not allow IP based requests we would
> > still define the acl and use a http_access deny www_ip  and then use
> > deny_info to redirect or send a TCP Reset?
> 
> That is another way, and somewhat better than just accepting the raw-IP
> URLs to the backend server.
> 
> 
> Amos
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux