On 21/01/2017 3:19 a.m., creditu@xxxxxx wrote: > On Fri, Jan 20, 2017, at 01:42 AM, Amos Jeffries wrote: >> On 20/01/2017 3:01 p.m., creditu wrote: >>> Had a question about dst and dstdomain acls. Given the sample below: >>> >>> http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost >>> acl www dstdomain www.example.com dev.example.com >>> cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver >>> round-robin >>> cache_peer_access 10.10.10.1 allow www >>> cache_peer_access 10.10.10.1 deny all >>> ....... >>> http_access allow www >>> http_access deny all >>> >>> When someone tries to access the site by specifying an IP >>> (192.168.100.1) instead of the name the client gets a standard access >>> denied squid page. >> >> What is the rDNS for 192.168.100.1 ? > > Shoot and thanks. It's a rDNS issue. We were using vport in a previous > config and it may have not been noticed because of that. > >> >> The dstdomain you have configured only the exact two domains listed to >> match. >> >>> It seems that a separate acl needs to be defined for >>> when someone tries to access the site using an IP? For instance: >>> acl dst www_ip 192.168.100.1 >> >> You could add the raw-IP to the www ACL: >> acl www dstdomain -n 192.168.100.1 >> >> ... but what will 10.10.10.1 do when asked for the site hosted at >> 192.168.100.1 ? > > 10.10.10.1 doesn't allow it, so might as well stop at squid. So, is the > best way be to create an ACL and deny cache peer access then do > something with deny info? Something like: > > acl www_ip dstdomain -n 192.168.100.1 > cache_peer_access 10.10.10.1 deny www_ip > .... > deny_info http://.... www_ip > http_access deny www_ip > Pretty much. But without the cache_peer_access bit. The denied request never gets near the cache_peer. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
