Re: squid.conf -- acl flags -= Still no go! =-

From: Duncan Anker <dunc1@dont-contact.us>
Date: Tue, 06 May 1997 16:54:19 PDT

>Date: Tue, 6 May 1997 16:59:40 -0400 (EDT)
>From: Jason Lixfeld <jlixfeld@idirect.com>
>To: Duncan Anker <dunc1@hotmail.com>
>cc: squid-users@nlanr.net
>Subject: Re: squid.conf -- acl flags -= Still no go! =-
>
>Ok, now I have this:
>
>acl manager proto cache_object
>acl localhost src 127.0.0.1/255.255.255.255
>acl officenet src 207.136.72.0/255.255.255.0 207.136.75.65/255.255.255.192
>199.166.254.0/255.255.255.0 207.136.82.58/255.255.255.255
>acl all src 0.0.0.0/0.0.0.0
>acl SSL_ports port 443 563
>acl CONNECT method CONNECT
>
>http_access deny !officenet
>icp_access deny !officenet
>
>Do you think I should add a http_access deny all, icp_access deny all?

No. If you deny all, officenet won't work either.

I tried it with this config, and the proxy does not give me an error,
>however if I go back and look into the access.log I get:
>
>862939318.735 99 207.136.82.0 TCP_DENIED/400 469 GET
>http://www.cyberlibel.com/ - NONE/- -
>862939328.658 4 207.136.82.0 TCP_DENIED/400 469 GET
>http://www.cyberlibel.com/ - NONE/- -
>862939861.198 6142 207.136.80.0 ERR_INVALID_REQ/400 290 NONE - - NONE/- -
>
>but I was under the impression that squid would give you a 403 error when
>trying to access the proxy.

I'm not sure what error code it should return. 403 would make sense.
You can actually customise this, though. There is a section called
deny_info which allows you to point the browser to a specific page
when access is denied. So you could set up an HTML document
explaining that only officenet users can access the proxy, which
most users would find more informative than a generic permission
denied message anyway.

> Funny though, I'm currently at an IP of
>207.136.98.14 and I have been accessing this proxy (for testing purposes).
>As I said before, I can get to all the sites, but the entries do not show
>up in any of the logs. And I do not get any of the errors in the logs as
>described above.

Interesting. Is your client going direct, or talking to a different
proxy? That's the only thing I can think of.

--
Duncan Anker         http://www.angelfire.com/or/darcknight/
                     
Health freaks are going to feel stupid one day, when they're
lying in a hospital bed, dying of nothing.
---------------------------------------------------------
Get Your *Web-Based* Free Email at http://www.hotmail.com
---------------------------------------------------------
Received on Tue May 06 1997 - 16:57:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:07 MST