[squid-users] limit access with acl only based on source and destination domain

Amos Jeffries squid3 at treenet.co.nz
Wed May 3 13:18:45 UTC 2017


On 03/05/17 12:40, Blaxton wrote:
> Hi
>
> I am trying to limit the out bound connection based on list of domain 
> names defined
> in srcdomain and dstdomain.
>
> Here is acl :
>
> acl From_Source_Domains srcdomain domain1 domain2 domain3
> acl To_Destination_Domains dstdomain domain4 domain5 domain6
>
> Now some web site says below considered OR and it is working for me:
> http_access allow From_Source_Domains
> http_access allow To_Destination_Domains
>
> And some web sites saying below considered AND but it is not working 
> for me:
> http_access allow From_Source_Domains To_Destination_Domains
>
> I am assuming since I have not allowed any port, then port should be 
> disabled
> but it is not, on OR of the src and dst domains.

No, ports are not part of that lines rule. There is no enable/disable - 
they are simply irrelevant when processing that line.

Traffic which gets filtered by that line coming from any client whose IP 
address rDNS matches one of the "From_Source_Domains" AND URL contains 
one of the "To_Destination_Domains" gets allowed into Squid.

>
> If add
> acl http_port 80
> http_access allow http_port
>
> Then it allow traffic from any source to any destination if port is 80.
>
> Kind of confusing and need a bit of help.

The "how" is simple:

   http_access lines are processed from top to bottom, left to right. 
First fully matching line wins and its action (allow or deny) happens.

<wiki.squid-cache.org/SquidFaq/OrderIsImportant>
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together>
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>

Amos


More information about the squid-users mailing list