[buug] squid
James Howard
jim at calico.homeip.net
Tue Oct 14 12:25:20 PDT 2003
John,
The default squid.conf file is very well commented. Check out the tagged
acl section for the conventions allowed for host specification. Note, IP's
and networks need to specified with subnet mask (either long or short form
will do). If a domain name is instead given, it will be resolved by
reverse lookup.
src and srcdomain refer to the client which makes the url request to the
proxy server. dst and dstdomain refer to the url request itself.
acl myNet src 192.168.165.0
> fix this by adding subnet mask
acl badlist dstdomain jjdev.com
> needs leading dot assuming jjdev.com is many hosts
acl badIPs dst 66.74.136.240
> needs subnet mask
acls can be additive...
acl badguys dstdomain .doubleclick.com
acl badguys dstdomain .fastclick.com
acl badguys dst 192.168.1.0/24
all specify what "badguys" matches.
As for access...
http_access deny badlist
> request for url's specified in badlist will not be served, regardless
of where they come from.
http_access deny badIPs
> same here.
http_access allow myNet
> allow requests from my net
http_access deny all
> deny everything that hasn't been matched...
On that last note, realize that access works on a first match basis. Once
a match is found, we exit the chain.
-Jim
On Tue, 14 Oct 2003, johnd wrote:
> anyone familiar with squid? I am having a hard time understanding
> how to configure it.
>
> for one thing
>
> the online docs say:
> ------------------------
> Example 6-8. Filtering out unwanted destination sites
>
> acl badDomains dstdomain adomain.example
> acl badIPs dst 10.255.1.2
> http_access deny badlist
> http_access deny badIPs
> http_access allow myNet
> http_access deny all
>
>
> ------------------------
>
> this seems to be a typo. badlist is undefined.
>
> I changed badDomains to badlist and it works...just makes me wonder.
>
>
> my goal is to have it so I have a list of domains that squid will proxy to
>
> I guess I'm not understanding what a ACL is all about.
>
> I was able to put this at the end of the default file:
>
> acl myNet src 192.168.165.0
> acl badlist dstdomain jjdev.com
> acl badIPs dst 66.74.136.240
> http_access deny badlist
> http_access deny badIPs
> http_access allow myNet
> http_access deny all
>
>
> it does the opposite of what I want kind of...It only filters domains listed.
>
> I want to filter all and only allow listed domains.
>
> I thought I could just flip it around to:
>
> like allow badlist and badIPs (I'd probably change the name to good) and denyall
>
> but it doesn't work...any ideas?
>
>
>
More information about the buug
mailing list