[squid-users] Help with acl's

From: Jason <jcoyne@dont-contact.us>
Date: Fri, 1 Sep 2006 11:35:19 -0500

Hello, I have searched and read until I wanna bang my head. What I want
squid to do: I have 6 internet computers that will access the internet (they
have static ip's) and 2 homework computers (also static) that will only have
access (whitelist) to a couple of websites (www.tutor.com for example). I am
running squid 2.6.Stable3. My squid.conf looks like this:

"#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT"

  a bunch of comments, then:

"#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl scorpio src 192.168.5.21
http_access allow scorpio

# And finally deny all other access to this proxy
http_access deny all"

In this configuration I get "access denied" to any website I go to. When I
change "http_access allow all" obviously everything works. So I enabled
"debug_options All,1 28,9" and this is what I get:

"2006/09/01 11:05:33| Reconfiguring Squid Cache (version 2.6.STABLE3)...
2006/09/01 11:05:33| FD 9 Closing HTTP connection
2006/09/01 11:05:33| FD 11 Closing ICP connection
2006/09/01 11:05:33| DNS Socket created at 0.0.0.0, port 32775, FD 8
2006/09/01 11:05:33| Adding nameserver 192.168.5.5 from /etc/resolv.conf
2006/09/01 11:05:33| Adding nameserver 192.168.5.7 from /etc/resolv.conf
2006/09/01 11:05:33| Accepting proxy HTTP connections at 192.168.5.249, port
3128, FD 9.
2006/09/01 11:05:33| Accepting ICP messages at 0.0.0.0, port 3130, FD 11.
2006/09/01 11:05:33| WCCP Disabled.
2006/09/01 11:05:33| Loaded Icons.
2006/09/01 11:05:33| Ready to serve requests.
2006/09/01 11:05:46| aclCheckFast: list: 0x926b228
2006/09/01 11:05:46| aclMatchAclList: checking all
2006/09/01 11:05:46| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2006/09/01 11:05:46| aclMatchIp: '192.168.5.249' found
2006/09/01 11:05:46| aclMatchAclList: returning 1
2006/09/01 11:05:47| aclCheck: checking 'http_access allow manager
localhost'
2006/09/01 11:05:47| aclMatchAclList: checking manager
2006/09/01 11:05:47| aclMatchAcl: checking 'acl manager proto cache_object'
2006/09/01 11:05:47| aclMatchAclList: no match, returning 0
2006/09/01 11:05:47| aclCheck: checking 'http_access deny manager'
2006/09/01 11:05:47| aclMatchAclList: checking manager
2006/09/01 11:05:47| aclMatchAcl: checking 'acl manager proto cache_object'
2006/09/01 11:05:47| aclMatchAclList: no match, returning 0
2006/09/01 11:05:47| aclCheck: checking 'http_access deny !Safe_ports'
2006/09/01 11:05:47| aclMatchAclList: checking !Safe_ports
2006/09/01 11:05:47| aclMatchAcl: checking 'acl Safe_ports port 80
# http'
2006/09/01 11:05:47| aclMatchAclList: no match, returning 0
2006/09/01 11:05:47| aclCheck: checking 'http_access deny CONNECT
!SSL_ports'
2006/09/01 11:05:47| aclMatchAclList: checking CONNECT
2006/09/01 11:05:47| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2006/09/01 11:05:47| aclMatchAclList: no match, returning 0
2006/09/01 11:05:47| aclCheck: checking 'http_access allow scorpio'
2006/09/01 11:05:47| aclMatchAclList: checking scorpio
2006/09/01 11:05:47| aclMatchAcl: checking 'acl scorpio src 192.168.5.21'
2006/09/01 11:05:47| aclMatchIp: '192.168.5.249' NOT found
2006/09/01 11:05:47| aclMatchAclList: no match, returning 0
2006/09/01 11:05:47| aclCheck: checking 'http_access deny all'
2006/09/01 11:05:47| aclMatchAclList: checking all
2006/09/01 11:05:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2006/09/01 11:05:47| aclMatchIp: '192.168.5.249' found
2006/09/01 11:05:47| aclMatchAclList: returning 1
2006/09/01 11:05:47| aclCheck: match found, returning 0
2006/09/01 11:05:47| aclCheckCallback: answer=0"

There is a few things in their I don't get. Maybe somebody does and can tell
me I am missing something simple?

Thank you.

Jason
 
Received on Fri Sep 01 2006 - 10:36:06 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT