Re: ACL Nightmare from David J N Begley on 1996-11-13 (squid-users)

From: David J N Begley <david@dont-contact.us>
Date: Thu, 14 Nov 1996 02:24:05 +1100 (EST)

On Thu, 14 Nov 1996, David J N Begley wrote:

> Argh! Okay, I give up. Using cachemgr.cgi, I request the status of some
> item from the currently running Squid; I get the result, fine. I select
> another item, and I'm told I'm forbidden to access the item. Doesn't
> matter which item I select either, first one works, subsequent ones don't.

I still don't know why this was happening (that is, first one works,
others don't), but I've managed to work my way 'round it. For now. I
think (using 1.0.20).

> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl src_okmgr src 137.154.210.10/32
> http_access deny manager !src_okmgr !localhost
> http_access allow manager src_okmgr localhost

One thing I've been trying to do, is stop people from using our proxy as
an accelerator for other services running on the same machine (Gopher,
FTP, Web), since in our case it actually ends up slowing things down
rather than providing a faster response - so what didn't appear above in
my original message was:

acl dst_infonepean dst 137.154.210.10/32
acl src_uws src 137.154.0.0/16
http_access deny src_uws dst_infonepean

Now, our proxy, Web, Gopher and FTP servers are all on the one machine, so
I thought the above would explicitly stop people going through the proxy,
them requesting an object that physically lives on the same machine.

Uh-uh .. this had mixed results, mostly stuffing up cachemgr.cgi stuff; I
found I couldn't assume it would work for all protocols either, so I had
to ultimately use:

acl allproto proto http ftp gopher
http_access allow src_uws dst_infonepean manager !allproto
http_access deny src_uws dst_infonepean allproto !manager

Okay, that seems to be working - but still doesn't explain the partial
working nature of the cachemgr.cgi (cache_object) responses, though;
almost as though it goes direct for the first query, then via the proxy
for subsequent queries (which of course are refused).

Sorry for the hassle .. very late night. :-(

dave
Received on Wed Nov 13 1996 - 07:24:38 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:32 MST