Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

acl, http_access, and urlpath_regex

422 views
Skip to first unread message

jo...@saratoga.lib.ny.us

unread,
Jan 3, 2000, 3:00:00 AM1/3/00
to
Ages ago Henrik Nordstrom suggested that something of the form:

acl somemachines src 192.168.1.0/24
acl about.com dstdomain about.com
acl about.com_chat urlpath_regex mpchat.htm parachat.htm
http_access deny somemachines about.com about.com_chat

Would be the most efficient method of denying access to the chat sites
and only the chat sites on about.com for the users of a group of pcs
(somemachines in the acls above.)

Is there a way to source a file into squid.conf? Does it matter if I
mix up acl and http_access lines, with the understanding that they
will still be read sequentially or do all the acls have to precede the
http_access lines in squid.conf? Could I set up a list of in the form
acl,acl,http_access;acl,acl,http_access;etc... and read it in.

acl blah.com dst blah.com
acl blah.com_chat urlpath_regex chaturl.html morechat.htm
http_access deny blah.com blah.com_chat

Please note what I want is to keep the acls for domain, the
urlpath_regex and the http_access commands together.


Also, I am confused about the urlpath_regex command. I don't know if I made a mistake by typing something in wrong or if I simply don't understand regular expressions well enough. I used the following acl http_access.

acl programs urlpath_regex bin zip hqx sit
http_access allow programs imacs-ref password

My goal was to prevent patrons downloaded program files to the
iMacs. The machines don't have disk drives, so I'm simply keeping them
from wasting time. The note is squid.conf says

# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL\ path

Which to me is unclear. My expectation is that \.gif should match the
.gif at the end. Do I need to put the '$' in or is it implied. Since
my attempt to use the above resulted in all cgi-bin directories
becoming unreachable (without a password) I assume that I need the
'$'. On the other hand a similar line of documentation for url_regex
says shows the "^http://" in the documentation line even though it is
always implied.

So in the cases using urlpath_regex should I assume that there are no
implied symbols? Is "acl aclname url_regex whatever.com" equivalent
to "acl aclname urlpath_regex ^http://whatever.com" ?

--
Josh Kuperman jo...@saratoga.lib.ny.us
Saratoga Springs Public Library phone (518) 584-7860 x 211
49 Henry St fax (518) 584-7866
Saratoga Springs, NY 12866


Henrik Nordstrom

unread,
Jan 3, 2000, 3:00:00 AM1/3/00
to
jo...@saratoga.lib.ny.us wrote:

> Is there a way to source a file into squid.conf?

Only in individual acl definitions.

It is however not very hard to set up my or cpp preprocessing to
generate the runtime squid.conf.

> Does it matter if I mix up acl and http_access lines

No, not as long as the acl names is defined before you use them in
http_access.

> # acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL\ path
>
> Which to me is unclear. My expectation is that \.gif should match the
> .gif at the end. Do I need to put the '$' in or is it implied.


\. matches a dot
gif matches the three letters "g" "i" "f"
$ matches the end.

> Since my attempt to use the above resulted in all cgi-bin directories
> becoming unreachable

Well /cgi-bin/something.cgi matches bin, and so does binoculars.


> On the other hand a similar line of documentation for url_regex
> says shows the "^http://" in the documentation line even though
> it is always implied.

It is not implied. There could be other protocols, for example ftp: or
gopher:

> So in the cases using urlpath_regex should I assume that there are no
> implied symbols? Is "acl aclname url_regex whatever.com" equivalent
> to "acl aclname urlpath_regex ^http://whatever.com" ?


urlpath_regex only matches the path after the server name

Lets take a URL like

http://www.example.com:8080/some/path/to/a/file.txt

Divided up on the different ACL types:
protocol matches http
dstdomain and dstdom_regex matches www.example.com
dst matches the IP address of www.example.com
port matches 8080
urlpath_regex matches /some/path/to/a/file.txt
url_regex matches the while URL


All regex ACL types uses so called "extended" regular expression,
matching the string of the acl type scope.

A nice tool for playing around with "extended" regular expressions is
egrep. Make a text file with different patterns you want to match or
not, and then try different expressions using egrep.

--
Henrik Nordstrom
Squid hacker


0 new messages