[squid-users] limit access with acl only based on source and destination domain
Amos Jeffries
squid3 at treenet.co.nz
Wed May 3 13:18:45 UTC 2017
On 03/05/17 12:40, Blaxton wrote:
> Hi
>
> I am trying to limit the out bound connection based on list of domain
> names defined
> in srcdomain and dstdomain.
>
> Here is acl :
>
> acl From_Source_Domains srcdomain domain1 domain2 domain3
> acl To_Destination_Domains dstdomain domain4 domain5 domain6
>
> Now some web site says below considered OR and it is working for me:
> http_access allow From_Source_Domains
> http_access allow To_Destination_Domains
>
> And some web sites saying below considered AND but it is not working
> for me:
> http_access allow From_Source_Domains To_Destination_Domains
>
> I am assuming since I have not allowed any port, then port should be
> disabled
> but it is not, on OR of the src and dst domains.
No, ports are not part of that lines rule. There is no enable/disable -
they are simply irrelevant when processing that line.
Traffic which gets filtered by that line coming from any client whose IP
address rDNS matches one of the "From_Source_Domains" AND URL contains
one of the "To_Destination_Domains" gets allowed into Squid.
>
> If add
> acl http_port 80
> http_access allow http_port
>
> Then it allow traffic from any source to any destination if port is 80.
>
> Kind of confusing and need a bit of help.
The "how" is simple:
http_access lines are processed from top to bottom, left to right.
First fully matching line wins and its action (allow or deny) happens.
<wiki.squid-cache.org/SquidFaq/OrderIsImportant>
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together>
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>
Amos
More information about the squid-users
mailing list