Re: [squid-users] http_access allow ...

From: Matt Alexander <[email protected]>
Date: Fri, 5 Nov 2004 13:50:52 -0700

Ah, that was the problem. "http_access allow all" was before the ads
deny line. Personally, I think this is silly and that the squid.conf
should not configure itself based on the order that acls appear.
Thanks for your help,
~M

On Fri, 5 Nov 2004 10:44:34 -0900, Chris Robertson <crobertson@gci.com> wrote:
> Are you saying that the allow all line is first in the conf file? If so,
> reverse the order, and you should be set.
>
> Squid checks the http_access lines in order. The first one to match is all
> that matters, so if you have http_access allow all as the first line,
> everything will match it, and Squid will never check the others.
>
> If the server is low traffic enough, you can add debugging options like
> "debug_options ALL,1 33,2" to your conf file, and watch the cache log to see
> acl testing. It's fairly verbose though (even just at level 2) and not
> suitable for a site getting more than a hit per second or so.
>
> Chris
>
> -----Original Message-----
> From: Matt Alexander [mailto:lowbassman@gmail.com]
> Sent: Friday, November 05, 2004 10:39 AM
> To: Chris Robertson
> Subject: Re: [squid-users] http_access allow ...
>
> No errors in cache.log. This worked previously when it was listening
> on the external interface and only allowing authenticated users. Is
> it a problem having these three lines together?
>
> http_access allow all
> http_access allow localhost
> http_access deny ads
>
> I'm wondering if the allow all overrides the deny line...
>
> On Fri, 5 Nov 2004 10:19:25 -0900, Chris Robertson <crobertson@gci.com>
> wrote:
> > Check your cache.log for a line like:
> >
> > aclParseAclLine: IGNORING invalid ACL: acl ads dstdom_regex -i
> > "/etc/squid/adservers"
> >
> > If Squid can't find a file, it will start without problem and just ignore
> > the acl.
> >
> > Chris
> >
> >
> >
> > -----Original Message-----
> > From: Matt Alexander [mailto:lowbassman@gmail.com]
> > Sent: Friday, November 05, 2004 9:53 AM
> > To: squid-users@squid-cache.org
> > Subject: [squid-users] http_access allow ...
> >
> > I'd like Squid to be configured to allow all traffic except for a list
> > of ad servers, but it doesn't seem to be working...
> > I have the following line in Squid:
> >
> > acl ads dstdom_regex -i "/etc/squid/adservers"
> > http_access deny ads
> >
> > The adservers file then contains regex expressions for various ad servers,
> > etc.
> >
> > This Squid process is only listening on localhost as it gets the
> > request from DansGuardian in front of it.
> >
> > Here's my acl lines:
> >
> > acl QUERY urlpath_regex cgi-bin \?
> > acl QUERY urlpath_regex download
> > acl QUERY urlpath_regex exe
> > acl QUERY urlpath_regex zip
> > acl QUERY urlpath_regex 160
> > acl ads dstdom_regex -i "/etc/squid/adservers"
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 563 # https, snews
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > acl PURGE method PURGE
> >
> > And here's my http_access lines:
> >
> > http_access deny ads
> > http_access allow PURGE localhost
> > http_access allow all
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> >
> > Any ideas what I'm missing?
> > Thanks,
> > ~M
> >
> > --
> > Get Firefox!
> > http://www.mozilla.org/products/firefox/
> >
>
> --
> Get Firefox!
> http://www.mozilla.org/products/firefox/
>

-- 
Get Firefox!
http://www.mozilla.org/products/firefox/
Received on Fri Nov 05 2004 - 13:57:41 MST

This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST