[squid-users] Dst and dstdomain ACLs
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 20 17:33:11 UTC 2017
On 21/01/2017 3:19 a.m., creditu at eml.cc wrote:
> On Fri, Jan 20, 2017, at 01:42 AM, Amos Jeffries wrote:
>> On 20/01/2017 3:01 p.m., creditu wrote:
>>> Had a question about dst and dstdomain acls. Given the sample below:
>>>
>>> http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost
>>> acl www dstdomain www.example.com dev.example.com
>>> cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver
>>> round-robin
>>> cache_peer_access 10.10.10.1 allow www
>>> cache_peer_access 10.10.10.1 deny all
>>> .......
>>> http_access allow www
>>> http_access deny all
>>>
>>> When someone tries to access the site by specifying an IP
>>> (192.168.100.1) instead of the name the client gets a standard access
>>> denied squid page.
>>
>> What is the rDNS for 192.168.100.1 ?
>
> Shoot and thanks. It's a rDNS issue. We were using vport in a previous
> config and it may have not been noticed because of that.
>
>>
>> The dstdomain you have configured only the exact two domains listed to
>> match.
>>
>>> It seems that a separate acl needs to be defined for
>>> when someone tries to access the site using an IP? For instance:
>>> acl dst www_ip 192.168.100.1
>>
>> You could add the raw-IP to the www ACL:
>> acl www dstdomain -n 192.168.100.1
>>
>> ... but what will 10.10.10.1 do when asked for the site hosted at
>> 192.168.100.1 ?
>
> 10.10.10.1 doesn't allow it, so might as well stop at squid. So, is the
> best way be to create an ACL and deny cache peer access then do
> something with deny info? Something like:
>
> acl www_ip dstdomain -n 192.168.100.1
> cache_peer_access 10.10.10.1 deny www_ip
> ....
> deny_info http://.... www_ip
> http_access deny www_ip
>
Pretty much. But without the cache_peer_access bit. The denied request
never gets near the cache_peer.
Amos
More information about the squid-users
mailing list