Re: [squid-users] Access denied

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 10 Jan 2003 23:58:54 +0100

Stéphane Ascoët wrote:
>
> Le vendredi, 10 jan 2003, à 22:59 Europe/Paris, Henrik Nordstrom a
> écrit :
> >>> acl all src 0.0.0.0/0.0.0.0
> >>> acl mynet src 192.168.1.0/255.255.255.0
> >>>
> >>> http_access deny all
> >>> http_access allow mynet
> >>>
> >>> squid log reports
> >>> 3 192.168.1.52 TCP/DENIED 403 1367 get http://www.bsdtoday.com/ -
> >>> NONE/- text.html
> >> Hello,
> >> Put your network on all instead of 0.0.0.0
> >
> >
> > Not a good idea. The "all" acl MUST be defined as "everyone in the
> > world". At least unless you are sure to override any default directives
> > using the "all" acl.

> So I don't understand : if we put the whole world in all acl, so why do
> we put "http_access allow all" and after deny ? Why not only allow
> mynet and deny all ?

You should never "http_access allow all". Ever. There is no Squid
condiguration where such access directive makes sense.

What you need is as you say: to allow mynet before you deny all.

What I am saying about is that you sould NOT define all to your own
network. The acl named "all" should match everyone in the world, such as
done in the standard configuration by "acl all src 0.0.0.0/0".

Regards
Henrik
Received on Fri Jan 10 2003 - 16:00:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:37 MST