On Fri, 20 Aug 2004, Merton Campbell Crockett wrote:
> The assumptions were stated in an ellided paragraph that the proxy was
> restricted to KIOSK users and that they were restricted to destinations
> specified in KIOSK.dstdomain.
>
> If there are other users of the proxy and they are permitted to access any
> destination, the following supports the condition. The last rule is for
> clarity and to show that all conditions have been enumerated.
>
> http_access allow !KIOSK
> http_access deny !KIOSK.dstdomain
> http_access allow KIOSK
In my experience this is more confusing than what you gain.
If your goal is to allow KIOSK access to certain domains then use the
combination
http_access allow KIOSK KIOSK.dstdomain
http_access deny KIOSK
If this does not work then at least one of the acls is wrongly defined and
you won't see the desired ressult no matter how you rearrange the
http_access rules.
The first rule in your example (allow !KIOSK) is very dangerous as this
allows everyone else in the whole world access. Such rules should not be
used unless you have been very strict earlier up on what IP addresses may
access the proxy.
As a general rule of thumb only use full negations in http_access deny
rules, such as
http_access deny !our_networks
or partial negations in combination with something else which makes sense
http_access allow ournetworks !restricted_sites
possibly followed by something like
http_access allow our_networks privileged_users
Negations are very poverful, but should be used carefully.
Regards
Henrik
Received on Fri Aug 20 2004 - 17:32:06 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT