Re: [squid-users] can not access sites due to acl when using ntlm auth

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Thu, 19 Aug 2004 16:12:56 -0700 (PDT)

On Thu, 19 Aug 2004 Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG wrote:

>
> >> http_access allow KIOSK.dstdomain
> >> http_access allow KIOSK
>
> >>>Is this really what you want?
>
> >>>Allow everyone access to KOISK.dstdomain
>
> >>>Allow KIOSK access to everything.
>
> >> http_access deny KIOSK
>
> >>>This is redundant due to the above.
>
>
>
>
> KIOSK is an acl that list what ip can use that acl and KIOSK.dstdomain
> list what sites KIOSK can get to and it seems to work good. I did remove
> http_access deny KIOSK but when I tried to combine the two statements that
> I think I need,
>
>
> >> http_access allow KIOSK.dstdomain
> >> http_access allow KIOSK
>
> into
>
> > http_access allow KIOSK KIOSK.dstdomain
>
> That did not work the users in KIOSK can no longer access sites listed at
> KIOSK.dstdomain which is the goal.

Perhaps it would be clearer and simpler to write this as two access rules.

        http_access deny !KIOSK.dstdomain
        http_access allow KIOSK

If I understand your description correctly, your intent is to restrict the
accessible resources to those defined in KIOSK.dstdomain. At this point,
you really don't care about the system that is attempting to access the
resource. The first rule enforces your destination restrictions.

A further restriction is that you only want to allow systems defined in
KIOSK to use the proxy. The second rule allows members of KIOSK to use
the proxy.

At the end of each rule set there is an implicit deny all. This may not
be entirely accurate. I recall Duane Wessels mentioning somewhere that
the implied last rule is the inverse of the last explicit rule. Based on
the above example, the implicit rule would be the following.

        http_access deny !KIOSK

In "Squid: The Definitive Guide", Duane Wessels provides several examples
where it might be better to use a negated acl to achieve the desired goal.

Merton Campbell Crockett

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard
Received on Thu Aug 19 2004 - 17:19:34 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT