[squid-users] Dst and dstdomain ACLs
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 20 08:42:19 UTC 2017
On 20/01/2017 3:01 p.m., creditu wrote:
> Had a question about dst and dstdomain acls. Given the sample below:
>
> http_port 192.168.100.1:80 accel defaultsite=www.example.com vhost
> acl www dstdomain www.example.com dev.example.com
> cache_peer 10.10.10.1 parent 80 0 no-query no-digest originserver
> round-robin
> cache_peer_access 10.10.10.1 allow www
> cache_peer_access 10.10.10.1 deny all
> .......
> http_access allow www
> http_access deny all
>
> When someone tries to access the site by specifying an IP
> (192.168.100.1) instead of the name the client gets a standard access
> denied squid page.
What is the rDNS for 192.168.100.1 ?
The dstdomain you have configured only the exact two domains listed to
match.
> It seems that a separate acl needs to be defined for
> when someone tries to access the site using an IP? For instance:
> acl dst www_ip 192.168.100.1
You could add the raw-IP to the www ACL:
acl www dstdomain -n 192.168.100.1
... but what will 10.10.10.1 do when asked for the site hosted at
192.168.100.1 ?
>
> If we wanted to pass to the backend we would need to add a extra
> cache_peer_access statement
> cache_peer_access 10.10.10.1 allow www_ip
>
> Then add:
> http_access allow www_ip
>
> Is that correct?
Not for matching raw-IP. The dst will match also for any domain name
that resolves to the IP given.
If you want an ACL that matches the textual representation of the raw-IP
you need to use dsdomain with the -n (no DNS lookup) flag, or the
dstdom_regex type.
> If we wanted to not allow IP based requests we would
> still define the acl and use a http_access deny www_ip and then use
> deny_info to redirect or send a TCP Reset?
That is another way, and somewhat better than just accepting the raw-IP
URLs to the backend server.
Amos
More information about the squid-users
mailing list