RE: [squid-users] How to deny unmatched/unspecified domains in squid 2.6 under reverse proxy mode?

From: Nguyen, Khanh, INFOT <[email protected]>
Date: Tue, 17 Oct 2006 14:24:09 -0400

By the way, I found a simple way to block access without using acl by one minor change to the code. In case someone needs that behavior. It is in the neighbors.c, function peerAllowedToUse. Initiate do_ping =1 instead of do_ping=0 would do it. Not sure the reason for returning that the peer is ok to use if the peer_domain ==NULL or access==NULL. Perhaps it is applicable for the forward proxy?

Regards,
Khanh

-----Original Message-----
From: Nguyen, Khanh, INFOT
Sent: Tuesday, October 17, 2006 10:33 AM
To: Chris Robertson
Cc: Squid List
Subject: RE: [squid-users] How to deny unmatched/unspecified domains in
squid 2.6 under reverse proxy mode?

It works. Very clever way of creating acl. It makes it more manageable.
I guess that there is no undocumented option in squid.conf to disable the use of default parents for domains that are not specified under the reverse proxy mode. It seems to be undesired behavior :-|

Thanks,
Khanh

-----Original Message-----
From: Chris Robertson [mailto:crobertson@gci.net]
Sent: Monday, October 16, 2006 5:43 PM
Cc: Squid List
Subject: Re: [squid-users] How to deny unmatched/unspecified domains in
squid 2.6 under reverse proxy mode?

Nguyen, Khanh, INFOT wrote:
> hi,
>
> I have squid 2.6 on Linux OS. The squid cache is configured in reverse proxy mode, means each domain has a mapping web server for objects retrieval. For example: objects of www1.mycompany.com will be fetched from websever1.mycompany.com, objects of www2.mycompany.com will be fetched from webserver2.mycompany.com ...
>
> For domains that are NOT configured in the cache server, the squid cache uses first_up_parent, sometime webserver1.mycompany.com, other time webserver2.mycompany.com. This is NOT what I desire. Can the squid cache be configured to return error page or acl denied page if a request is for a domain that is not configured in the squid cache server? If I use acl to achieve this, would i have to one allowed acl for each configured domain and then deny at the very end? It does not sound very effective since I would have a very long acl list. My cache server would have over 100 domains thus 100+ acl. Is there any better way without modifying the code itself?
>
> Any suggestions would be very much appreciated.
> Khanh
>
>
>
acl KnownHosts dstdomain "/path/to/file"
http_access deny !KnownHosts

Where "file" would contain the allowed domains, one per line with an
optional leading dot to match all subdomains. Be sure that this
http_access deny is entered before any explicit allows in your squid.conf.

Chris
Received on Tue Oct 17 2006 - 12:25:42 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST