[squid-users] limit access with acl only based on source and destination domain

Blaxton blaxxton at yahoo.com
Fri May 5 03:47:47 UTC 2017


What is the difference between :
http_access allow From_Source_Domains
http_access allow To_Destination_Domains

And

http_access allow From_Source_Domains To_Destination_Domains

?


      From: Amos Jeffries <squid3 at treenet.co.nz>
 To: squid-users at lists.squid-cache.org 
 Sent: Wednesday, May 3, 2017 8:19 AM
 Subject: Re: [squid-users] limit access with acl only based on source and destination domain
   
On 03/05/17 12:40, Blaxton wrote:
> Hi
>
> I am trying to limit the out bound connection based on list of domain 
> names defined
> in srcdomain and dstdomain.
>
> Here is acl :
>
> acl From_Source_Domains srcdomain domain1 domain2 domain3
> acl To_Destination_Domains dstdomain domain4 domain5 domain6
>
> Now some web site says below considered OR and it is working for me:
> http_access allow From_Source_Domains
> http_access allow To_Destination_Domains
>
> And some web sites saying below considered AND but it is not working 
> for me:
> http_access allow From_Source_Domains To_Destination_Domains
>
> I am assuming since I have not allowed any port, then port should be 
> disabled
> but it is not, on OR of the src and dst domains.

No, ports are not part of that lines rule. There is no enable/disable - 
they are simply irrelevant when processing that line.

Traffic which gets filtered by that line coming from any client whose IP 
address rDNS matches one of the "From_Source_Domains" AND URL contains 
one of the "To_Destination_Domains" gets allowed into Squid.

>
> If add
> acl http_port 80
> http_access allow http_port
>
> Then it allow traffic from any source to any destination if port is 80.
>
> Kind of confusing and need a bit of help.

The "how" is simple:

  http_access lines are processed from top to bottom, left to right. 
First fully matching line wins and its action (allow or deny) happens.

<wiki.squid-cache.org/SquidFaq/OrderIsImportant>
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together>
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes>

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170505/8009cb0a/attachment.html>


More information about the squid-users mailing list