Hi Amos
Thank you for your help
I removed the to_all from_all as suggested by pandu, it's working.
On 02/01/2011 01:56 PM, Amos Jeffries wrote:
>> is not matching in this case, because the domain resolving did not
>> return an ip address. so the request is still the domain name and squid
>> is comparing the domain name with 0/0, which will not match.
>
> What version of Squid is this? The dst ACL has been long fixed not to
> use strings at all but to test the numeric values and return fail on
> unresolvables without any comparisons happening.
version is 2.6, right now. (surely we will upgrade in future) good to
know that this changes.
>> Ok, so i tried to solve by adding these rules:
>> acl to_alldomain dstdom_regex .*
>> http_access allow from_all within_timeframe_rule1 to_alldomain
>> This actually is working, but it seems quite an overhead to me.
>
> Yes it does seem overly complex. Lets look at the parts...
>
> * from_all ... if the request comes from a machine with an IPv4 address
> (0.0.0.0 'self' included).
>
> Since the only way to reach Squid is via IP transport...
> In all Squid older than 3.1 this equates to "true".
> In 3.1 the ACL should be defined "src ipv4" and thinking of it as "all"
> the network is wrong.
thank you for this information. much appreciated for when we upgrade. we
have to change a lot i think.
> * to_alldomain ... if true. every request will match this so you will
> get the same behaviour by removing it entirely.
i did that now. it's working.
thank you!
peter
-- :: e n d i a n :: open source - open minds :: peter warasin :: http://www.endian.com :: [email protected]Received on Tue Feb 01 2011 - 15:02:05 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST