Re: Controlling neighbour access

From: Duane Wessels <[email protected]>
Date: Wed, 19 Feb 97 13:55:55 -0800

Mark.Eldridge@per.its.csiro.au writes:

>I'd like to be able to control which objects on our cache our neighbours
>have access to. If our organisation's internal documents are cached then
>it is possible that our neighbours could access these documents, bypassing
>any security that may be in place on the end web server.
>
>The trusting method (for the perfect world) is to ask the neighbours to
>put a 'cache_host_domain proxy.csiro.au !.csiro.au' statement in their
>configs. This is also more efficient.
>
>To control it from our end I have tried the following:
>
>acl csiro src 1.2.0.0/255.255.0.0
>acl non_csiro_neighbour src 3.4.0.0/255.255.0.0
>acl csiro_url url_regex \.csiro\.au
>icp_access allow csiro
>icp_access deny csiro_url
>icp_access deny all !non_csiro_neighbour

You should duplicate each 'icp_access' line with 'http_access' also.

You might also want to add

    acl csiro_host dstdomain csiro.au

Then you can catch numeric IP addresses in URLs.

Duane W.
Received on Wed Feb 19 1997 - 14:22:28 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:29 MST