Re: [squid-users] Howto protect one network using ACL?

From: Henrik Nordstrom <[email protected]>
Date: Fri, 11 Jan 2002 23:49:11 +0100

Yuriy Kuznetsov wrote:

> > and the restriction rules:
> > http_access deny localnet10 yahoo MORNING
> > http_access deny localnet10 yahoo AFTERNOON
> > http_access allow localnet10 yahoo LUNCH
> > http_access allow localnet10 yahoo EVENING
> > http_access allow localnet10 yahoo MIDNIGHT
> > http_access allow localnet10
> >
> I think it is simle... KISS :)))
>
> http_access allow localnet10 !yahoo
> http_access allow localnet10 yahoo LUNCH
> http_access allow localnet10 yahoo EVENING
> http_access allow localnet10 yahoo MIDNIGHT

or simply

http_access deny localnet10 yahoo MORNING
http_access deny localnet10 yahoo AFTERNOON
http_access allow localnet10

> but I have a question .. What is better
>
> acl yahoo url_regex -i ^http://http.msg.yahoo.com
> or
> acl yahoo dstdomain http.msg.yahoo.com

dstdomain is always better than regexp matching, especially if there is
many items to match. When there is only a single pattern the difference
is not that large.

> I prefer second because url_regex do not have reverse lookup (and not
> block IP-s) or I am wrong?

Correct, but is not generally the main reason why dstdomain is
preferable.

Regards
Henrik Nordstr�m
Squid Developer
MARA Systems AB, Sweden
Received on Fri Jan 11 2002 - 16:47:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:49 MST