Re: [squid-users] Problem with acl and one ip address

From: Rainer Traut <rainer.traut@dont-contact.us>
Date: Tue, 30 Oct 2001 09:07:06 +0100

Thanks, very much.
It's working now!

Rainer

----- Original Message -----
From: "Colin Campbell" <sgcccdc@citec.qld.gov.au>
To: "Rainer Traut" <rainer.traut@epost.de>
Cc: <squid-users@squid-cache.org>
Sent: Tuesday, October 30, 2001 3:33 AM
Subject: Re: [squid-users] Problem with acl and one ip address

> Hi,
>
> On Mon, 29 Oct 2001, Rainer Traut wrote:
>
> > Hi,
> > we want to deny access for a single ip,
>
> Actually you want to allow one ip to go to a restricted set of sites and
> nowhere else.
>
> > but this ip is also in another access list.
> > As far as i understood the first rule that matches
> > is applied, but it doesn't work...
>
> Yes it does. You have to understand the http_access lines. If "test" is
> going to "sites" he is allowed by the first http_access line. If he is
> not, that line doesn't match. However the checks don't stop there. Since
> the "test" ip is also part of "surf_all", whenever "test" goes somewhere
> other than "sites" he will be allowed by "http_access allow surf_all".
>
> What you need to do is:
>
> http_access allow test sites
> http_access deny test
> http_access allow surf_small sites
> http_access allow surf_all
> http_access allow manager
> http_access deny all
>
> Now, when "test" doesn't go to "sites" he is explicitly blocked.
>
> > this is a part of our squid.conf.
> > It works, only this one ip still cann surf everywhere.
> >
> > acl all src 0.0.0.0/0.0.0.0
> > # this ip should access only allowed sites:
> > acl test src 172.27.49.48/32
> > # but it's also in here:
> > acl surf_all src 172.27.49.0/24
> > acl surf_small src 172.27.35.0/24
> > acl sites dstdomain "/usr/local/squid/etc/erlaubt.url"
> > http_access allow test sites
> > http_access allow surf_small sites
> > http_access allow surf_all
> > http_access allow manager
> > http_access deny all
> >
> > But he still can surf everywhere.
> > Why?
> > An what can I do?
> > it's squid 2.4 stable2 running under linux mdk kernel 2.4.8.
> >
> > thanks
> > Rainer
> >
> >
>
> Colin
> --
> Colin Campbell
> Unix Support/Postmaster/Hostmaster
> CITEC
> +61 7 3006 4710
>
Received on Tue Oct 30 2001 - 01:07:33 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:12 MST