Re: [SQU] acl allow and deny, is it order dependent?

From: Mark Worsdall <squid@dont-contact.us>
Date: Tue, 17 Oct 2000 20:39:47 +0100

>But AFAIK I read in the manual that the 'rules' apply in the order of
>occurence in the configuration file plus the rule that there is an
>implicit allow/deny (exactly the opposite of the last command) all at the
>end of the rules added by squid.
>
>Even if it seems odd to you, this gives you the highest flexibility.
>You decide about the order when writing the config file. Finally IMHO
>it follows the rule of the least surprise too.
>
>In your configuration I don't understand some things:
>a) Is deniedsites exactly equal to !allowedsites? If so:
>
> http_access deny deniedsites
> http_access allow allowedsites

deniedsites is a file acl and it contains sites we ban.
allowedsites is a file acl and it contains sites we allow access to
without password authentication, we have a situation where there is
apache running on the same machine which allows access from external IP
address's, but controlled by .htaccess, anyway the server also serves
personel wen pages ~Users format and since that IP is a genuine internet
IP it would be banned by a time acl if not allowed here.

>
> is superfluous. Only the first line would suffice. Furthermore,
> allowedsites are completely allowed w/o time and password checking.
> This might be intentional.. but from your question I don't think so.
>
> Same for porn/noporn.

Here I was just Just following whats was given on the website where I
got the ban list text file from.

>
>b) http_access allow password
> would allow all people with a password. It won't check any time limits
> or porn restrictions. Maybe you intended:
> http_access deny !password
> ?

what I wanted was to get authentication if trying to access the internet
within the correct time.

So (rules changed today by my boss), allow internet access between 9am
and 6.30pm weekdays, if they have authenticated them selves correctly.

Do not allow access if they fail to enter a valid password

Do not allow access if outside the above time

so now my rules are:-

acl deniedsites url_regex "/usr/local/etc/squid/squid-deny.txt"
acl allowedsites url_regex "/usr/local/etc/squid/squid-allow.txt"
acl porn url_regex "/usr/local/etc/squid/porn.block.txt"
acl noporn url_regex "/usr/local/etc/squid/porn.unblock.txt"
acl okTime time MTWHF 09:00-18:30
acl weTime time AS 00:00-23:59
acl amTime time MTWHF 00:00-08:59
acl pmTime time MTWHF 18:30-23:59
acl password proxy_auth 300
#
http_access deny deniedsites
http_access allow allowedsites
http_access allow noporn all
http_access deny porn
http_access deny amTime
http_access deny pmTime
http_access deny weTime
http_access allow okTime
http_access allow password

http_access allow all

But still not sure if in correct order?

M.

-- 
He came from Econet - Oh no, I've run out of underpants :(
Home:- jaydee@wizdom.org.uk       http://www.wizdom.org.uk
Shadow:- webmaster@shadow.org.uk  http://www.shadow.org.uk
Work:- netman@hinwick.demon.co.uk http://www.hinwick.demon.co.uk
Web site Monitoring:-             http://www.shadow.org.uk/SiteSight/
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Oct 17 2000 - 13:43:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:46 MST