Re: [squid-users] can not access sites due to acl when using ntlm auth

>> http_access allow KIOSK.dstdomain
>> http_access allow KIOSK

>>>Is this really what you want?

>>>Allow everyone access to KOISK.dstdomain

>>>Allow KIOSK access to everything.

>> http_access deny KIOSK

>>>This is redundant due to the above.

 KIOSK is an acl that list what ip can use that acl and KIOSK.dstdomain
list what sites KIOSK can get to and it seems to work good. I did remove
http_access deny KIOSK but when I tried to combine the two statements that
I think I need,

>> http_access allow KIOSK.dstdomain
>> http_access allow KIOSK

into

> http_access allow KIOSK KIOSK.dstdomain

That did not work the users in KIOSK can no longer access sites listed at
KIOSK.dstdomain which is the goal.

Jim

                                                                                                                                              
                    Henrik
                    Nordstrom To: Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG
                    <hno@squid-cac cc: Henrik Nordstrom <hno@squid-cache.org>, squid-users@squid-cache.org
                    he.org> Subject: Re: [squid-users] can not access sites due to acl when using ntlm auth
                                                                                                                                              
                    08/19/2004
                    12:36 AM
                                                                                                                                              
                                                                                                                                              

On Wed, 18 Aug 2004 Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG wrote:

>> http_access allow manager localhost
>> http_access deny manager

Ok

>> http_access allow KIOSK.dstdomain
>> http_access allow KIOSK

Is this really what you want?

Allow everyone access to KOISK.dstdomain

Allow KIOSK access to everything.

>> http_access deny KIOSK

This is redundant due to the above.

>> http_access allow MYAIRMAIL

>> http_access allow PAGING

>> http_access deny PAGING

This is redundand. You can not deny what you have already allowed.

>> http_access deny BLOCK.NOT.YAHOO
>> http_access allow YAHOOMESSENGER
>> http_access deny YAHOOMESSENGER

This i redundant.

>> http_access deny BLOCK.NOT.AOL
>> http_access allow AOL
>> http_access deny AOL

This is redundant.

>> http_access deny lab.src lab.dstdomain
>> http_access allow lab.src
>> http_access deny lab.src

This is redundant.

>> http_access allow LOG-ONLY-HOSTS
>> http_access deny NO.NONBLOCK NONBLOCK
>> http_access allow NONBLOCK
>> http_access allow NONPORN
>> http_access deny BLOCK
>> http_access deny MIMEBLOCK
>> http_access deny RESTRICTED-BROWSER
>> http_access deny RESTRICTED-DOM

>> http_access allow manager ADMIN-HOSTS
>> http_access deny manager

This is redundant due to the first two rules already taking care of all
manager access.

>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny to_localhost

These should be much higher, before your own first accept rule.

Somewhere before this last deny of everything else it looks like there is
some allow statements missing, allowing access after you have filtered out
all the things you do not want to see..

>> http_access deny all

Regards
Henrik
Received on Thu Aug 19 2004 - 14:28:28 MDT