On Fri, 20 Aug 2004, Henrik Nordstrom wrote:
> On Thu, 19 Aug 2004, Merton Campbell Crockett wrote:
>
> > Perhaps it would be clearer and simpler to write this as two access rules.
> >
> > http_access deny !KIOSK.dstdomain
> > http_access allow KIOSK
>
> No, this won't work either as this restricts all users to the KIOSK.dstdomain
> destinations, not only the KIOSK users.
The assumptions were stated in an ellided paragraph that the proxy was
restricted to KIOSK users and that they were restricted to destinations
specified in KIOSK.dstdomain.
If there are other users of the proxy and they are permitted to access any
destination, the following supports the condition. The last rule is for
clarity and to show that all conditions have been enumerated.
http_access allow !KIOSK
http_access deny !KIOSK.dstdomain
http_access allow KIOSK
If there are multiple conditional destination domain cases, one possible
solution is to define another proxy to handle the set of destination
domains in order to simplify the problem. These could run on the same
system but use different ports.
Merton Campbell Crockett
-- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: mcc@CATO.GD-AIS.COM TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcardReceived on Fri Aug 20 2004 - 08:49:33 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT