Re: [SQU] acl allow and deny, is it order dependent? from Ilja Pavkovic on 2000-10-17 (squid-users)

From: Ilja Pavkovic <illsen@dont-contact.us>
Date: Tue, 17 Oct 2000 23:29:19 +0200

Hi,

> what I wanted was to get authentication if trying to access the internet
> within the correct time.
>
> So (rules changed today by my boss), allow internet access between 9am
> and 6.30pm weekdays, if they have authenticated them selves correctly.
>
> Do not allow access if they fail to enter a valid password
>
> Do not allow access if outside the above time
>
> so now my rules are:-
>
> acl deniedsites url_regex "/usr/local/etc/squid/squid-deny.txt"
> acl allowedsites url_regex "/usr/local/etc/squid/squid-allow.txt"
> acl porn url_regex "/usr/local/etc/squid/porn.block.txt"
> acl noporn url_regex "/usr/local/etc/squid/porn.unblock.txt"
> acl okTime time MTWHF 09:00-18:30
> acl weTime time AS 00:00-23:59
> acl amTime time MTWHF 00:00-08:59
> acl pmTime time MTWHF 18:30-23:59
> acl password proxy_auth 300
> http_access deny deniedsites
> http_access allow allowedsites
> http_access allow noporn all
> http_access deny porn
> http_access deny amTime
> http_access deny pmTime
> http_access deny weTime
> http_access allow okTime
> http_access allow password
> http_access allow all

You try to implement AND inclusions with OR rules. Remember: rules in
squid.conf are AND composited if they are in different lines. They are OR
composited if they are in one line.

Also remember the fact, that you can use !A OR B for the boolean implication
A -> B.
I try to translate your conditions:
# what I wanted was to get authentication if trying to access the internet
# within the correct time.
# So (rules changed today by my boss), allow internet access between 9am
# and 6.30pm weekdays, if they have authenticated them selves correctly.
# this means:
# okTime AND password AND all -> ALLOW
# translated : okTime OR password OR allow OR all
http_access allow okTime password all

# Do not allow access if they fail to enter a valid password
# this means:
# all AND !password -> DENY
http_access deny !password all

# Do not allow access if outside the above time
# this means:
# all AND !okTime -> DENY
http_access deny all !oktime

I would suggest a shorter version:
http_access allow all okTime password
http_access deny all

I hope that I did not confuse you too much :)

Ilja Pavkovic

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Tue Oct 17 2000 - 15:32:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:46 MST