>> > > acl acl1 src claudiu.altex.ro
>> > > acl acl2 dstdomain btr.ro
>> > > http_access allow acl1 acl2
>> > > http_access deny all
>> >
>> > Neither! The first ACL that matches dictates the behaviour.
>> >
>>
>> then I ask you, how do I limit the access of given users to a given
>> domain ?
>
>Well, in the example you'd given, connections are allowed FROM only
>claudiu.altex.ro site/machine. Furthermore, Connections are allowed TO
>only btr.ro site.
>
>So in this case, you've been lucky; you have effectively limited
>connections TO a single site FROM a single site/machine. Therefore even
>though squid uses the first ACL it sees, in your case this is good enough.
>
>I think IPCHAINS might be a better solution for what you are trying to
>achieve here.
>
>Another solution that *might* suit you better is to use apache in accel
>mode (which is apache's name for running as a proxy). Apache probably
>gives you more control than mere ACLs.
Actually, I think squid's ACL's are quite flexible, even if the
documentation is a bit sparse. I've only successfully used a few of the
ACL options. You can also redirect denied requests to an explanation page
if so desired.
Squid's ACLs are in 2 parts - definitions and the rules. A definition can
be used over & over in different rules:
acl theboss src 192.168.1.15
The boss's IP address
acl mydomain srcdomain mydomain.com
My domain name
acl bozo dstdomain clowncollege.com
A destination name
http_access allow theboss all
Allow the boss to go everywhere, even clowncollege.com
http_access allow mydomain !bozo
Don't allow anyone in my domain to go to clowncollege.com
(Could also be written as http_access deny mydomain bozo)
http_access allow all
Default rule to allow all other sites.
I just wrote these off the top of my head, but I *think* they're valid. If
your aim is to allow access to only a few specific sites, you may want to
put them into a file, allow them, and deny everything else, something like
this:
acl mydomain srcdomain mydomain.com
acl validsites dstdomain "/etc/squid/valid-domains"
http_access allow mydomain validsites
http_access deny all all
The file valid-sites would contain a list of valid domain names, each on a
separate line. I use a similar method to block access to some web-based
e-mail sites.
HTH
-Eric
Eric Sisler
Library Computer Technician
Westminster Public Library
Westminster, CO, USA
[EMAIL PROTECTED]
Linux - don't fear the Penguin.
Want to know what we use Linux for?
Visit http://gromit.westminster.lib.co.us/linux
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
