[squid-users] limit access with acl only based on source and destination domain

Amos Jeffries squid3 at treenet.co.nz
Wed May 3 13:18:45 UTC 2017

On 03/05/17 12:40, Blaxton wrote:
> Hi
> I am trying to limit the out bound connection based on list of domain 
> names defined
> in srcdomain and dstdomain.
> Here is acl :
> acl From_Source_Domains srcdomain domain1 domain2 domain3
> acl To_Destination_Domains dstdomain domain4 domain5 domain6
> Now some web site says below considered OR and it is working for me:
> http_access allow From_Source_Domains
> http_access allow To_Destination_Domains
> And some web sites saying below considered AND but it is not working 
> for me:
> http_access allow From_Source_Domains To_Destination_Domains
> I am assuming since I have not allowed any port, then port should be 
> disabled
> but it is not, on OR of the src and dst domains.

No, ports are not part of that lines rule. There is no enable/disable - 
they are simply irrelevant when processing that line.

Traffic which gets filtered by that line coming from any client whose IP 
address rDNS matches one of the "From_Source_Domains" AND URL contains 
one of the "To_Destination_Domains" gets allowed into Squid.

> If add
> acl http_port 80
> http_access allow http_port
> Then it allow traffic from any source to any destination if port is 80.
> Kind of confusing and need a bit of help.

The "how" is simple:

   http_access lines are processed from top to bottom, left to right. 
First fully matching line wins and its action (allow or deny) happens.



More information about the squid-users mailing list