Hi.
Imagine:
Standard VPN structure: central company and a dial-in office.
In the dial-in office, squidV2p1 is installed without any DNS, it should all
allowed requests forward to 10.1.1.1 in central office.
Now I have users in the dial-in office which are allowed to access
addresses in the central company ( *.foo.org) and other users, which
should have full access to all addresses. With the following setup I
got a strange behavior: when I have only local the following line active:
http_access allow localdom local-users
everything works fine. Only these users can connect to *.foo.org
But if I add
http_access allow all internet-users
everybody can connect to any address!
Please help!
Ingo.
My squid.conf:
# 10.1.1.1 is the parent in central office, it is fully internet-connected
cache_peer 10.1.1.1 parent 3128 3130
acl QUERY urlpath_regex cgi-bin \? .pl
no_cache deny QUERY
dns_nameservers none
# in squid.user all users:pwds are listed
authenticate_program /usr/bin/ncsa_auth /opt/squid/etc/squid.user
negative_ttl 1 second
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
# local-users is just a file with usernames from squid.user
acl local-users proxy_auth "/opt/squid/etc/local-users"
# like local-users but other usernames
acl internet-users proxy_auth "/opt/squid/etc/internet-users"
acl localdom dstdomain foo.org
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localdom local-users
http_access allow all internet-users
http_access deny all
icp_access allow all
miss_access allow all
# this is to forward everything to 10.1.1.1, I hope
never_direct allow all
Ingo.
Received on Tue Mar 02 1999 - 11:39:52 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:06 MST