[squid-users] Dst and dstdomain ACLs

creditu at eml.cc creditu at eml.cc
Fri Jan 20 14:19:41 UTC 2017 

On Fri, Jan 20, 2017, at 01:42 AM, Amos Jeffries wrote:
> On 20/01/2017 3:01 p.m., creditu wrote:
> > Had a question about dst and dstdomain acls.  Given the sample below:
> > 
> > http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost
> > acl www dstdomain www.example.com dev.example.com
> > cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver
> > round-robin
> > cache_peer_access 10.10.10.1 allow www
> > cache_peer_access 10.10.10.1 deny all
> > .......
> > http_access allow www
> > http_access deny all
> > 
> > When someone tries to access the site by specifying an IP
> > (192.168.100.1) instead of the name the client gets a standard access
> > denied squid page.
> 
> What is the rDNS for 192.168.100.1 ?

Shoot and thanks.  It's a rDNS issue.  We were using vport in a previous
config and it may have not been noticed because of that.

> 
> The dstdomain you have configured only the exact two domains listed to
> match.
> 
> >  It seems that a separate acl needs to be defined for
> > when someone tries to access the site using an IP?  For instance:
> > acl dst www_ip 192.168.100.1
> 
> You could add the raw-IP to the www ACL:
>  acl www dstdomain -n 192.168.100.1
> 
>  ... but what will 10.10.10.1 do when asked for the site hosted at
> 192.168.100.1 ?

10.10.10.1 doesn't allow it, so might as well stop at squid. So, is the
best way be to create an ACL and deny cache peer access then do
something with deny info?  Something like:

acl dstdomain -n 192.168.100.1
cache_peer_access 10.10.10.1 deny www_ip
....
deny_info http://.... www_ip
http_access deny www_ip

> 
> 
> >  
> > If we wanted to pass to the backend we would need to add a extra
> > cache_peer_access statement
> >  cache_peer_access 10.10.10.1 allow www_ip
> > 
> > Then add:
> > http_access allow www_ip
> > 
> > Is that correct?
> 
> Not for matching raw-IP. The dst will match also for any domain name
> that resolves to the IP given.
> 
> If you want an ACL that matches the textual representation of the raw-IP
> you need to use dsdomain with the -n (no DNS lookup) flag, or the
> dstdom_regex type.
> 
> >  If we wanted to not allow IP based requests we would
> > still define the acl and use a http_access deny www_ip  and then use
> > deny_info to redirect or send a TCP Reset?
> 
> That is another way, and somewhat better than just accepting the raw-IP
> URLs to the backend server.
> 
> 
> Amos
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list