Re: [squid-users] Sequence of http_access rules

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 27 May 2008 16:13:40 +1200 (NZST)

>
>
> Jaap Cammeraat escreveu:
>> Thx!
>> And what is the best way...
>>
>
> There's no best way .... there's the way that met your criterias.
>
> You have to arrange the http_access rules to met your criterias,
> there's no hints or tips about that. That's just your criterias and
> logical order of the rules.

There are several bad ways though. With varying degrees of security.

In general I advise an order that blocks first, allows later. Using the
broadest criteria and fastest ACL types early and the fine tuning detail
ones later.

Things along the lines of:

 1) block relaying of all external requests (if possible)
 2) allowing local machines with unlimited access
 3) general allow authentications
 4) other specific complicated denials
 5) other complicated allows
 6) "deny all"

Amos
Received on Tue May 27 2008 - 04:13:43 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:14 MDT