/*
- * $Id: acl.cc,v 1.149 1998/03/16 23:12:55 wessels Exp $
+ * $Id: acl.cc,v 1.150 1998/03/17 00:05:54 wessels Exp $
*
* DEBUG: section 28 Access Control
* AUTHOR: Duane Wessels
return ACL_DST_DOMAIN;
if (!strcmp(s, "srcdomain"))
return ACL_SRC_DOMAIN;
+ if (!strcmp(s, "dstdom_regex"))
+ return ACL_DST_DOM_REGEX;
+ if (!strcmp(s, "srcdom_regex"))
+ return ACL_SRC_DOM_REGEX;
if (!strcmp(s, "time"))
return ACL_TIME;
if (!strcmp(s, "pattern"))
return "dstdomain";
if (type == ACL_SRC_DOMAIN)
return "srcdomain";
+ if (type == ACL_DST_DOM_REGEX)
+ return "dstdom_regex";
+ if (type == ACL_SRC_DOM_REGEX)
+ return "srcdom_regex";
if (type == ACL_TIME)
return "time";
if (type == ACL_URLPATH_REGEX)
case ACL_DST_DOMAIN:
aclParseDomainList(&A->data);
break;
+ case ACL_SRC_DOM_REGEX:
+ case ACL_DST_DOM_REGEX:
+ aclParseRegexList(&A->data);
+ break;
case ACL_TIME:
aclParseTimeSpec(&A->data);
break;
acl->name, inet_ntoa(checklist->src_addr));
checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_NEEDED;
return 0;
- } else {
- return aclMatchDomainList(&acl->data, "none");
}
+ return aclMatchDomainList(&acl->data, "none");
+ /* NOTREACHED */
+ case ACL_DST_DOM_REGEX:
+ if ((ia = ipcacheCheckNumeric(r->host)) == NULL)
+ return aclMatchRegex(acl->data, r->host);
+ fqdn = fqdncache_gethostbyaddr(ia->in_addrs[0], FQDN_LOOKUP_IF_MISS);
+ if (fqdn)
+ return aclMatchRegex(acl->data, fqdn);
+ if (checklist->state[ACL_DST_DOMAIN] == ACL_LOOKUP_NONE) {
+ debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for '%s'\n",
+ acl->name, inet_ntoa(ia->in_addrs[0]));
+ checklist->state[ACL_DST_DOMAIN] = ACL_LOOKUP_NEEDED;
+ return 0;
+ }
+ return aclMatchRegex(acl->data, "none");
+ /* NOTREACHED */
+ case ACL_SRC_DOM_REGEX:
+ fqdn = fqdncache_gethostbyaddr(checklist->src_addr, FQDN_LOOKUP_IF_MISS);
+ if (fqdn) {
+ return aclMatchRegex(acl->data, fqdn);
+ } else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NONE) {
+ debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for '%s'\n",
+ acl->name, inet_ntoa(checklist->src_addr));
+ checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_NEEDED;
+ return 0;
+ }
+ return aclMatchRegex(acl->data, "none");
/* NOTREACHED */
case ACL_TIME:
return aclMatchTime(acl->data, squid_curtime);
hostname type http_port icp_port
- For example,
+ For example,
# proxy icp
# hostname type port port options
DEFAULT: @DEFAULT_PID_FILE@
LOC: Config.pidFilename
DOC_START
- A filename to write the process-id to. To disable, enter "none".
+ A filename to write the process-id to. To disable, enter "none".
pid_filename @DEFAULT_PID_FILE@
DOC_END
acl aclname src ip-address/netmask ... (clients IP address)
acl aclname src addr1-addr2/netmask ... (range of addresses)
acl aclname dst ip-address/netmask ... (URL host's IP address)
- acl aclname srcdomain foo.com ... (taken from reverse DNS lookup)
- acl aclname dstdomain foo.com ... (taken from the URL)
+
+ acl aclname srcdomain foo.com ... # reverse lookup, client IP
+ acl aclname dstdomain foo.com ... # Destination server from URL
+ acl aclname srcdom_regex xxx ... # regex matching client name
+ acl aclname dstdom_regex xxx ... # regex matching server
+ # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
+ # based URL is used. The name "none" is used if the reverse lookup
+ # fails.
+
acl aclname time [day-abbrevs] [h1:m1-h2:m2]
day-abbrevs:
S - Sunday
A - Saturday
h1:m1 must be less than h2:m2
acl aclname url_regex ^http:// ... # regex matching on whole URL
- acl aclname urlpath_regex \.gif$ ... # regex matching on URL path only
+ acl aclname urlpath_regex \.gif$ ... # regex matching on URL path
acl aclname port 80 70 21 ...
acl aclname proto HTTP FTP ...
acl aclname method GET POST ...
# example for routing all requests for AS#1241 and only
# those to mycache.mydomain.net:
# acl asexample dst_as 1241
- # cache_host_acl mycache.mydomain.net asexample
+ # cache_host_acl mycache.mydomain.net asexample
# cache_host_acl mycache_mydomain.net !all
acl aclname proxy_auth passwd_file [ refresh ]
If set, Squid will keep pools of allocated (but unused) memory
available for future use. If memory is a premium on your
system and you believe your malloc library outperforms Squid
- routines, disable this.
+ routines, disable this.
memory_pools on
DOC_END
LOC: Config.accessList.NeverDirect
DEFAULT: none
DOC_START
- Usage: never_direct allow|deny [!]aclname ...
+ Usage: never_direct allow|deny [!]aclname ...
never_direct is the opposite of always_direct. Please read
the description for always_direct if you have not already.
example, to force the use of a proxy for all requests, except
those in your local domain, use something like:
- acl local-servers dstdomain my.domain.net
+ acl local-servers dstdomain my.domain.net
acl all src 0.0.0.0/0.0.0.0
- never_direct deny local-servers
- never_direct allow all
+ never_direct deny local-servers
+ never_direct allow all
DOC_END
NAME: fake_user_agent
LOC: Config.fake_ua
DEFAULT: none
DOC_START
- If you use the paranoid http_anonymizer setting, Squid will strip
- your User-agent string from the request. Some Web servers will
- refuse your request without a User-agent string. Use this to
- fake one up. For example:
+ If you use the paranoid http_anonymizer setting, Squid will strip
+ your User-agent string from the request. Some Web servers will
+ refuse your request without a User-agent string. Use this to
+ fake one up. For example:
- fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
- (credit to Paul Southworth pauls@etext.org for this one!)
+ fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
+ (credit to Paul Southworth pauls@etext.org for this one!)
fake_user_agent none
DOC_END
allow you to set Squid into port 161 and your system's snmpd to
another port by changing /etc/services.
- WARNING: Because of Squid acting as a proxy snmpd for system
- you have to do security checks on THIS snmpd for all objects.
- Check your snmp_config_file.
+ WARNING: Because of Squid acting as a proxy snmpd for system
+ you have to do security checks on THIS snmpd for all objects.
+ Check your snmp_config_file.
forward_snmpd_port 0
DOC_END
projects / thirdparty / squid.git / commitdiff
