RE: [squid-users] deny authenticated users to dstdomain from Chris Robertson on 2005-09-01 (squid-users)

From: Chris Robertson <crobertson@dont-contact.us>
Date: Thu, 1 Sep 2005 09:11:36 -0800

> -----Original Message-----
> From: Covington, Chris [mailto:Chris.Covington@plusone.com]
> Sent: Thursday, September 01, 2005 8:45 AM
> To: rob@zilla.id.au; squid-users@squid-cache.org
> Subject: Re: [squid-users] deny authenticated users to dstdomain
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Covington, Chris wrote:
> > > Hi all,
> > >
> > > I'd like to deny some domains after people have authenticated. I
> > > tried
> > > this:
> > >
> > > acl NoAccess dstdomain .aim.com
> > > acl NoAccess proxy_auth REQUIRED
> > > acl AuthorizedUsers proxy_auth REQUIRED http_access deny NoAccess
> > > http_access allow AuthorizedUsers
> > >
> > > But apparently this isn't allowed:
> > >
> > > 2005/09/01 10:52:12| aclParseAclLine: ACL 'NoAccess' already exists
> > > with different type.
> > > FATAL: Bungled squid2.conf line 1874: acl NoAccess proxy_auth REQUIRED
> > > Squid Cache (Version 2.5.STABLE10): Terminated abnormally.
> > >
> > > What's the best way to do this?
> >
> > Remove line 1874. It's conflicting with the `deny NoAccess' line.
>
> That line is:
>
> acl NoAccess dstdomain .aim.com
>
> If I do that, how will I define which sites are not allowed access?
>
> ---
> Chris Covington
> IT
> Plus One Health Management
> 75 Maiden Lane Suite 801
> NY, NY 10038
> 646-312-6269
> http://www.plusoneactive.com
>

The problem is you have used one ACL name (NoAccess) with two different ACL types (dstdomain and proxy_auth). Give the two ACLs different names, and make either a combined http_access rule using those ACLs or sequential http_access rules to server your goal.

For example...

acl NoAccess dstdomain .aim.com
acl authentication proxy_auth REQUIRED
acl myNet src 192.168.0.0/24

http_access deny !authentication
http_access deny NoAccess
http_access allow myNet
http_access deny all

...would allow access to those people who 1) have authenticated 2) are not trying to surf to *.aim.com and 3) are originating from 192.168.0.0/24. The Squid FAQ (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html) has more details.

Chris
Received on Thu Sep 01 2005 - 11:11:44 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:02 MDT