[squid-users] Whitelist domain ignored?

[Matus UHLAR - fantomas]

>>> On 6/10/2016 11:56 a.m., Jose Torres-Berrocal wrote:
>>>> acl whitelist2 dstdom_regex -i "whitelist.acl"
>>>>
>>>> Where whitelist.acl content:
>>>> ^familymedicinepr\.com$
>>>> ^mail\.yahoo\.com$
>>>> ^neodecksoftware\.com$
>>>> ^office\.net$
>>>> \.familymedicinepr\.com$
>>>> \.mail\.yahoo\.com$
>>>> \.neodecksoftware\.com$
>>>> \.office\.net$

>> On 10/05/2016 11:45 PM, Amos Jeffries wrote:
>>> There is a simpler way if you are going to insisit on regex instead of
>>> dstdomain. Starting the pattern with an optional '.' character:  \.?
>>>
>>> So whitelist.acl content:
>>>
>>> \.?familymedicinepr\.com$
>>> \.?mail\.yahoo\.com$
>>> \.?neodecksoftware\.com$
>>> \.?office\.net$

>On Thu, Oct 6, 2016 at 1:28 PM, Alex Rousskov <rousskov at measurement-factory.com> wrote:
>> That simpler way is incorrect AFAICT: The top/correct ACL list does not
>> match "xoffice.net" but yours does.

On 06.10.16 13:52, Jose Torres-Berrocal wrote:
>"dstdomain .office.net" does not match xoffice.net domain.  I do not
>want to match xoffice.net with the regex.

That's precisely why Alex noted that Amos' regex is incorrect.

In fact:

acl whitelist2 dstdomain .neodecksoftware.com

is equivalent to:

acl whitelist2 dstdom_regex ^neodecksoftware\.com$ .*\.neodecksoftware\.com$

or:

acl whitelist2 dstdom_regex ^(.*\.)?neodecksoftware\.com$

because is matches domain itself (neodecksoftware.com) as long as subdomains
(*.neodecksoftware.com).

And this is why Amos said that:
"Using dstdomain in this case is better though since the comparison is
shorter and faster than regex."

whenever you can, use dstdomain insted of dstdom_regex.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.