After discussion in the last week in the thread "Managing large
http_access lists: alternative methods", I decided to code a hack to
Squid 1.1.21 to:
* restrict access to our caches (abuse, alas!).
* allow clients from our customers' networks access as usual.
* centralize the list of customers networks, namely a DNS zone
(a single file), for approx. 4900 class B and class C equivalents
I've added a new Squid access list type, called "srcipmap". The
relevant portion of the "squid.conf" file looks like:
acl mrnetcustnets srcipmap custnets.mr.net
http_access allow mrnetcustnets
In order for the ACL type to match a client's IP address A.B.C.D, the
address D.C.B.A.some.domain, e.g. D.C.B.A.custnets.mr.net, must have a
DNS A record associated with it.
The DNS zone file was created through laziness, namely by querying our
core routers for networks with AS paths of "", "5006", and "1347" (for
our two AS numbers), then massaging the results with a Perl script.
The zone file looks like:
@ IN SOA NS.MR.NET. hostmaster.MR.Net. ( 199804140 86400 7200 604800 86400 )
IN NS NS.MR.Net.
IN NS NS2.MR.Net.
; Class B networks
$ORIGIN 162.128.custnets.mr.net.
* in a 10.10.10.10
$ORIGIN 17.129.custnets.mr.net.
* in a 10.10.10.10
; Part of CIDR block MRNET-C-BLOCK10
$ORIGIN 90.32.209.custnets.mr.net.
* in a 10.10.10.10
$ORIGIN 91.32.209.custnets.mr.net.
* in a 10.10.10.10
$ORIGIN 92.32.209.custnets.mr.net.
* in a 10.10.10.10
$ORIGIN 93.32.209.custnets.mr.net.
* in a 10.10.10.10
I still have a bit more testing to do (memory leaks, trying in HTTP
accelerator mode), but I thought I'd let y'all know now that I gave it
a whirl and it seems to work. If there's interest, I can forward
diffs to the mailing list or make them available on a Web server
somewhere.
-Scott
--- Scott Lystig Fritchie, Senior Systems Administrator fritchie@mr.net, PGP key #152B8725 MRNet, a MEANS Telcom Company v: 612/362.5820, p: 612/637.9547 2829 University Ave SE "We're in the middle of another commercial- Minneapolis, MN 55414 USA free decade." -- Minnesota Public Radio http://www.mr.net/Received on Thu Apr 16 1998 - 22:14:29 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:39:43 MST