Re: [squid-users] acl of type dstdomain and CONNECT not working together with dstdomain?

From: Muthukumar <[email protected]>
Date: Wed, 2 Jun 2004 15:16:10 +0530

> acl ports port 443
> acl domains dstdomain .foo.com
> acl CONNECT method CONNECT
>
> http_access allow CONNECT ports domain
> http_access deny all
>
> When I try to connect to www.foo.com I get a denied access.

For dstdomain acltype , a reverse lookup is done for the ip-based urls. If the look up fail "none" will be return.
You can check in the access.log for that request in the request method field (6th field).
It is not succeeded at the point.So you are getting denied access.

> When on the other hand I do (1.2.3.4 is www.foo.com's address)
>
> acl ports port 443
> acl hosts dst 1.2.3.4
> acl CONNECT method CONNECT
>
> http_access allow CONNECT ports hosts
> http_access deny all
>
> I do get access.

dst acl type is resolving the destination address directly. So you are not having the problem to access it.
Compare the two request methods from the access.log. It will give you the difference.

Regards,
Muthukumar.

---
===============  It is a "Virus Free Mail" ===============
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.692 / Virus Database: 453 - Release Date: 5/28/2004
Received on Wed Jun 02 2004 - 03:46:10 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jul 01 2004 - 12:00:02 MDT