Re: [squid-users] Limiting smb_auth to internal network and one external IP only

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 25 Jan 2003 02:27:08 +0100

Try this

# Deny everyone but our own network
http_access deny !mynetwork

# Allow access to authenticated users
http_access allow domainusers

# And finally deny everything else to be on the safe side
http_access deny all

You can also try

http_access allow mynetwork domainusers

Whichever approach suits you best..

Regards
Henrik

On Friday 24 January 2003 19.32, Bob Avery-Babel wrote:
> I'm having a hard time composing acls that work. I'm hoping someone
> can help. Thanks for the previous tips, I am a little further. :-)
>
> I set up smb_auth to track connections by user name. That works
> very well. squid prompts for a username and password.
>
> The problem is, that I can configure an external browser outside of
> the network to use the proxy and I get a username and password
> prompt there as well.
>
> I'm trying to figure out how to only have authentication be
> available to users inside my network.
>
> Here are the acls I have now:
>
> acl domainusers proxy_auth REQUIRED
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl mynetwork src 192.168.0.0/24
> acl workmachine src 207.xxx.xxx.xxx
>
> http_access allow localhost
> http_access allow mynetwork
> http_access allow domainusers !workmachine
> #http_access allow workmachine
> http_access deny all
>
> So with the above ruleset I can access the authentication prompt
> from every outside IP except my workstation which is outside of the
> network. :-)
>
> Is there any acl that I could put in that would mention the
> "outside network" and then make a line like this:
>
> http_access allow domainusers !outsidenetwork
>
> I thought I could add more restrictions to the group domainusers
> but these lines didn't take when I tried to restart squid:
>
> acl domainusers src 192.168.0.0/24 #local network
> acl domainusers src 207.xxx.xxx.xxx #my work machine,
> external to the network
>
> I know I could block external requests to port 3128 but I'd like to
> be able to figure it out from within squid.
>
> Thanks all!
>
> Bob
Received on Fri Jan 24 2003 - 18:27:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:51 MST