I got it,Thanks for your replies.


----- Original Message ----- From: "Amos Jeffries" <squ...@treenet.co.nz>
To: "wangwen" <wangw...@126.com>
Cc: <squid-users@squid-cache.org>
Sent: Wednesday, September 30, 2009 10:29 AM
Subject: Re: [squid-users] Squid "acl port"


On Wed, 30 Sep 2009 09:46:04 +0800, "wangwen" <wangw...@126.com> wrote:
Hi All.

I have my question about the use of “acl port ” in squid.conf.

Generally the proxy has the following three cases:

1. Standard proxy cache server: In order to realize this approach, We
must
indicate the Ip and port of proxy server in the browser of everyone
internal
host.

2. Transparent proxy cache server: The transparent cache intercepts
network
traffic, filters HTTP traffic (on port 80), and handles the request if
the
item is in the cache.

3. Reverse proxy cache server: It usually listen in 80 port to accept
client
request. When guests accessing proxy server, they will just feel like
visiting backend server.User can't feel backend server here.


In the first case: Entering “IP:port” in the browser we can access any
website. According to IP address and port in the browser, Proxy server
control user access. In this case we can use “acl port” in squid.conf to
control access.

In the second case: Entering “IP:port” in the browser we can access any
website. But the request URL which not include port 80 will not be sent
to
proxy server. I think that “acl port” is useless In this case.

In the third case: Entering “IP of reverse proxy server:port” in the
browser we can access backend server. I think that “acl port” is useless
In this case.

From what we analyzed before,”acl port” only takes effect in the first
case, or is it? If it is not, Can anybody give me some example using “acl
port” in another cases?

Thank you.

When referring to the receiving http_port in squid prefer the myportname
feature. All other port ACL types are unreliable in some modes.

ACL type "port" - refers to the client destination port when on normal
proxy mode. Reverse proxy mode this is the client destination port
(provided NAT and load balancers have not been involved anywhere down the
chain) which should usually be 80, but may be some other squid receiving
accel port if used by web apps or altered by intermediate devices/software.

ACL type "myport" - refers to squid receiving port. Reverse proxy mode
expect this to be identical to the above (aka client destination port) when
in reverse proxy mode. Usable in forward and reverse proxy mode for
non-standard or multiple proxy listening ports.

NOTE: _neither_ of these above methods works reliably in transparent mode.
The IP:port for both squid and the client and the client destination are
volatile based on system NAT capabilities. OR if they are reliably set
should always be 80. Every install combo with operating system, firewall,
NAT engine and Squid version needs to be tested to see what the ACL
matches. TPROXY interception also faces the same problems with even weirder
behavior, setting "myport" to the client source port which should be
completely random and unusable.

ACL type "myportname" - refers to the squid receiving port by explicit name
in all modes.

Amos





Reply via email to