Re: [squid-users] because it matched "all"

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 14 Oct 2003 13:31:48 +0200 (CEST)

On Tue, 14 Oct 2003, san wrote:

> 2003/10/14 14:24:39| The reply for GET
> http://www.jaguar.com/global/script/dhtmlmenu.js is ALLOWED, because it
> matched 'all'

These ("The reply for ..") you can ignore. Only interesing if you are
using http_reply_access.

> 2003/10/14 14:24:35| The request GET
> http://www.jaguar.com/global/script/dhtmlmenu.js is ALLOWED, because it
> matched 'special_client'

So far good..

> special_client contains the ip address of the users can browse,
> where it went wrong, how they can able to browse freely without any problem,
> can any one suggest me the possibilities.

Make sure you end you http_access rules with a
http_access deny all

Also remember that the first http_access rule matching the request tells
if the request is to be allowed or denied. By having the http_access allow
special_client high up none of the rules below this applies to these
clients.

> http_access allow special_client
> http_access deny all noporn
> http_access deny all porn
> http_access allow manager
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny yuck
> http_access deny 5CONN losers

I think you want to move special_client to the end of this list, and then
add a final "http_access deny all" rule denying all other accesses.

Also, the manager rule should be returned to the restricted variant given
in the default squid.conf. You do not want everyone in the world to have
manager access to your Squid.

http_access allow manager localhost

also, the noporn/porn rulesets looks a bit odd.. from the acl names I
assume your intention is to block porn except what is listed as noporn,
not to block both porn and noporn. This is best expressed as

http_access deny !noporn porn

or alternatively

http_access deny porn !noporn

This makes a http_access ruleset like:

# default rules restricting unsafe access
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# local rules determining who is allowed to use the proxy and how
http_access allow localhost
http_access deny porn !noporn
http_access deny yuck
http_access deny 5CONN losers
http_access allow special_client

# a final "deny everything else" rule
http_access deny all

Regards
Henrik
Received on Tue Oct 14 2003 - 05:31:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:29 MST