From: Amos Jeffries Date: Tue, 1 Feb 2011 02:38:37 +0000 (-0700) Subject: Documentation: various squid.conf updates X-Git-Tag: SQUID_3_1_11~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97571b6d27a6b251a56086a7b3d516d8dc53d1f6;p=thirdparty%2Fsquid.git Documentation: various squid.conf updates * maxconn ACL applies only on direct client IPs * Updated IPv6 magic tcp_outgoing_address example --- diff --git a/src/cf.data.pre b/src/cf.data.pre index aea13905a8..3ade4de0bd 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -671,7 +671,9 @@ DOC_START acl aclname maxconn number # This will be matched when the client's IP address has - # more than HTTP connections established. [fast] + # more than TCP connections established. [fast] + # NOTE: This only measures direct TCP links so X-Forwarded-For + # indirect clients are not counted. acl aclname max_user_ip [-s] number # This will be matched when the user attempts to log in from more @@ -831,6 +833,9 @@ DOC_START Controls whether the indirect client address (see follow_x_forwarded_for) is used instead of the direct client address in acl matching. + + NOTE: maxconn ACL considers direct TCP links and indirect + clients will always have zero. So no match. DOC_END NAME: delay_pool_uses_indirect_client @@ -1480,14 +1485,18 @@ DOC_START an additional ACL needs to be used which ensures the IPv6-bound traffic is never forced or permitted out the IPv4 interface. + # IPv6 destination test along with a dummy access control to perofrm the required DNS + # This MUST be place before any ALLOW rules. acl to_ipv6 dst ipv6 - tcp_outgoing_address 2002::c001 good_service_net to_ipv6 + http_access deny ipv6 !all + + tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 - tcp_outgoing_address 2002::beef normal_service_net to_ipv6 + tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 - tcp_outgoing_address 2002::1 to_ipv6 + tcp_outgoing_address 2001:db8::1 to_ipv6 tcp_outgoing_address 10.1.0.3 !to_ipv6 WARNING: