[squid-users] ACLs allow/deny logic
Vieri
rentorbuy at yahoo.com
Tue Jun 27 06:31:41 UTC 2017
Please bear with me because I still don't quite grasp the AND logic with ACLs.
Let's consider the logic "http_access deny (if) X (and) Y (and) Z" and the following squid configuration section:
[squid.conf - start]
acl denied_restricted1_mimetypes_req req_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes"
acl denied_restricted1_mimetypes_rep rep_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes"
acl allowed_restricted1_domains dstdomain -i "/usr/local/proxy-settings/allowed.restricted1.domains"
acl allowed_restricted1_ips dst "/usr/local/proxy-settings/allowed.restricted1.ips"
http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains !allowed_restricted1_ips
http_reply_access deny denied_restricted1_mimetypes_rep !allowed_restricted1_domains !allowed_restricted1_ips
http_access deny intercepted !localnet
http_access allow localnet
http_access deny all
[squid.conf - finish]
In particular:
http_reply_access deny (if) denied_restricted1_mimetypes_rep (and not) allowed_restricted1_domains (and not) allowed_restricted1_ips
where
denied_restricted1_mimetypes_rep: matches mime type application/octet-stream
allowed_restricted1_domains: matches DESTINATION domain .telegram.org
allowed_restricted1_ips: matches DESTINATION IP addresses (any one of 149.154.167.91 or 149.154.165.120)
So, it should translate to something like this:
http_reply_access deny (if) (mime type is application/octet-stream) (and) (DESTINATION domain is NOT .telegram.org) (and) (DESTINATION IP address is NOT any of 149.154.167.91 or 149.154.165.120)
Correct?
If so, then I'm still struggling to understand the first message in the log:
"The reply for POST http://149.154.165.120/api is DENIED, because it matched allowed_restricted1_ips"
I don't think "the server's reply (application/octet-stream) should be denied" if it comes from one of 149.154.167.91 or 149.154.165.120.
Anyway, I'll try out the configuration directives you suggested and see if that logic applies correctly (at least to my undertsanding ;-) ).
Thanks for your valuable help,
Vieri
More information about the squid-users
mailing list