Search squid archive

Re: ACLs allow/deny logic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please bear with me because I still don't quite grasp the AND logic with ACLs.

Let's consider the logic "http_access deny (if) X (and) Y (and) Z" and the following squid configuration section:

[squid.conf - start]
acl denied_restricted1_mimetypes_req req_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes"
acl denied_restricted1_mimetypes_rep rep_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes"
acl allowed_restricted1_domains dstdomain -i "/usr/local/proxy-settings/allowed.restricted1.domains"
acl allowed_restricted1_ips dst "/usr/local/proxy-settings/allowed.restricted1.ips"

http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains !allowed_restricted1_ips
http_reply_access deny denied_restricted1_mimetypes_rep !allowed_restricted1_domains !allowed_restricted1_ips

http_access deny intercepted !localnet

http_access allow localnet

http_access deny all
[squid.conf - finish]

In particular:

http_reply_access deny (if) denied_restricted1_mimetypes_rep (and not) allowed_restricted1_domains (and not) allowed_restricted1_ips

where 

denied_restricted1_mimetypes_rep: matches mime type application/octet-stream
allowed_restricted1_domains: matches DESTINATION domain .telegram.org
allowed_restricted1_ips: matches DESTINATION IP addresses (any one of 149.154.167.91 or 149.154.165.120)

So, it should translate to something like this:

http_reply_access deny (if) (mime type is application/octet-stream) (and) (DESTINATION domain is NOT .telegram.org) (and) (DESTINATION IP address is NOT any of 149.154.167.91 or 149.154.165.120)

Correct?
If so, then I'm still struggling to understand the first message in the log:

"The reply for POST http://149.154.165.120/api is DENIED, because it matched allowed_restricted1_ips"

I don't think "the server's reply (application/octet-stream) should be denied" if it comes from one of 149.154.167.91 or 149.154.165.120.

Anyway, I'll try out the configuration directives you suggested and see if that logic applies correctly (at least to my undertsanding ;-) ).

Thanks for your valuable help,

Vieri
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux