Re: [squid-users] changing the access denied message for differanet clients (using acls)

From: Henrik Nordstrom <>
Date: Fri, 23 Mar 2001 23:47:15 +0100

Edmund Haworth wrote:

> is there reason why the ERR_ACCESS_DENIED page is displayed on student
> clients as well as staff?
> have i overlooked something?

You have overlooked the way deny_info work. It matches the last ACL name
on the http_access line that denies access. In your case "all" (which
btw is redundant in most of your rules).

The way deny_info is designed is more to provide different error
messages for different reasons to why the request was denied. I.e. one
message per blocking list, such as in

http_access deny badDomains
http_access deny badLang

With some http_access magic you can however make it match different
groups of people, but it requires some duplication of rules to sort the
groups out.

http_access deny staff badDomains staff
http_access deny student badDomain student
(the reason to why the group is listed both first and last is processing

Another note: Your http_access ruleset is not what you think it is.
Quite far from actually. Squid reads http_access top-down, and stops at
the first line that fully matches the request. So the line

http_access deny badLang

blocks all access to those.

Later in the list you have

http_access allow goodLang

which gives the whole world access to use your proxy to reach goodLang
sites not matching the deny lists above it in squid.conf..

Usually what a Squid configuration should look like is to first deny all
users but the one that should be allowed to access the proxy, and then
sort out how the allowed users are allowed to use the proxy.

# Deny all other users access
http_access deny !student !staff !studentdom !staffdom

# Special cases that should not be blocked
http_access allow goodLang
http_access allow good....

# Block access to bad sites
http_access deny badLang
[here you can use the trick described above if you want to give error
messages per user group rather than per destination]

# Allow access to all other sites
http_access allow all

The last can be replaced by more explicit listing of the users again
(one per line), but listing the users here should not make any
difference for the ruleset as such.

Henrik Nordstrom
Squid Hacker
Received on Fri Mar 23 2001 - 17:10:34 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:50 MST