RE: [squid-users] {Spam?} acl help please

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 11 May 2005 09:26:00 -0800

> -----Original Message-----
> From: Carinus Carelse [mailto:carinus.carelse@mrc.ac.za]
> Sent: Tuesday, May 10, 2005 9:33 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] {Spam?} acl help please
>
>
> I have a program that synchronises using the proxy. however I keep
> getting this error message in the cache.log file.
>
> 2005/05/11 08:25:51| The request CONNECT ip number:port is DENIED,
> because it matched 'password'
>
> Ho can I bypass the password acl I have and allow the CONNECT method
> just for the ipnumber:port .
>
> Carinus
>

A couple new ACLs like:

  acl specialAddress dst 1.2.3.4/32
  acl specialPort port 5678

Then (assuming that your proxy authentication acl is named "password")
change your proxy auth line to

  http_access deny !password !CONNECT !specialAddress !specialPort

This should block any non-authenticated request to anywhere but 1.2.3.4:5678
without opening your proxy to allow just ANYONE to surf to that IP
address:port

Otherwise, if this program is run from one specific computer, you could use
a src acl like:

  acl specialClient src 4.3.2.1/32
  acl specialAddress dst 1.2.3.4/32
  acl specialPort port 5678

Then above the http_access deny !password control, a line like:

  http_access allow specialClient CONNECT specialAddress specialPort

will allow that computer to CONNECT to that ip and port without
authentication, but will require any other computer to authenticate to reach
it.

Chris
Received on Wed May 11 2005 - 11:26:01 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:02 MDT