LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   never_direct deny all vs. always_direct deny all (https://www.linuxquestions.org/questions/linux-general-1/never_direct-deny-all-vs-always_direct-deny-all-291052/)

simplyrahul 02-16-2005 02:00 PM
never_direct deny all vs. always_direct deny all
 
Hi,

Can anyone please clarify me the difference between these two with respect to external sites in squid.

never_direct deny all vs. always_direct deny all

Thanks in advance

- Rahul

secesh 02-16-2005 02:42 PM
i kinda thought it was self-explanatory... please elaborate...

Quote:
Tag Name always_direct
Usage always_direct allow|deny [!]aclname ...

Description
Here you can use ACL elements to specify requests, which should ALWAYS be forwarded directly to origin servers. This is mostly used while using cache_peer. See also never_direct . For Further reference on always_direct, please click here.
Default always_direct is by default deny.

Example
For example, to always directly forward requests for local servers use something like:
acl local-servers dstdomain .my.domain.net
always_direct allow local-servers

To always forward FTP requests directly, use
acl FTP proto FTP
always_direct allow FTP

Example for denying specific domain
acl local-external dstdomain .external.foo.net
acl local-servers dstdomain .foo.net
always_direct deny local-external
always_direct allow local-servers

Caution
There is a similar, but opposite option named ' never_direct'. You need to be aware that "always_direct deny foo" is NOT the same thing as "never_direct allow foo". You may need to use a deny rule to exclude a more-specific case of some other rule.


Tag Name never_direct
Usage never_direct allow|deny [!]aclname ...

Description
never_direct is the opposite of always_direct. Please read the description for always_direct if you have not already.

With 'never_direct' you can use ACL elements to specify requests, which should NEVER be forwarded directly to origin servers

When always_direct and never_direct are deny (By default), Squid selects based on the request type and a number of other factors if a parent should be used or not, and if a parent could not be reached it will always fallback on direct.

If always_direct is allow then Squid will always go direct to the source without considering any peers.

If never_direct is allow then Squid will never attempt to go direct to the source. Instead it tries very hard to find a parent to send the request to. If no parent can be found then an error is returned. For Further reference on never_direct, please click here.
Default never_direct is by default deny.

Example
For example, to force the use of a proxy for all requests, except those in your local domain use something like:

acl local-servers dstdomain foo.net
acl all src 0.0.0.0/0.0.0.0
never_direct deny local-servers
never_direct allow all

or if squid is inside a firewall and there are local intranet servers inside the firewall then use something like:

acl local-intranet dstdomain .foo.net
acl local-external dstdomain .external.foo.net
always_direct deny local-external
always_direct allow local-intranet
never_direct allow all

Caution
It will be better to understand always_direct before enabling this tag


All times are GMT -5. The time now is 08:59 PM.