[squid-users] acl question

From: Paul Houselander \(SME\) <housey@dont-contact.us>
Date: Tue, 8 Apr 2008 10:10:45 +0100


Ive been using IP's in acl's to restrict access to squid, a redirector
(squidguard) and a parent proxy (virus scanning proxy)

This has been working fine and part of my squid.conf is below

# Everything ACL - goes via parent and squidguard
acl everything src "/etc/squid/acl/everything"
http_access allow everything
never_direct allow everything
redirector_access allow everything

# nothing ACL stops parent and redirector
acl nothing src "/etc/squid/acl/nothing"
http_access allow nothing
always_direct allow nothing
redirector_access deny nothing

# noparent ACL always direct stops it from forwarding to parent
acl novirus src "/etc/squid/acl/novirus"
http_access allow novirus
always_direct allow novirus

# nofilter ACL uses redirector access to stop requests going to the
redirector (squidguard)
acl nofilter src "/etc/squid/acl/nofilter"
http_access allow nofilter
redirector_access deny nofilter

http_access allow localhost
http_access deny all

This is fine for static IP's and does exactly what I want, i.e. put an IP in
/etc/squid/acl/everything and it gets filtered and forwarded to the parent,
put an address in /etc/squid/acl/nothing and it goes direct and bypasses the

I wanted to allow roaming users to use my squid so ive tried adding
authentication using the below. Aim was if I knew there IP it would be in
one of the acl files so no username/password prompt, if there IP was not in
the acl files it would pop up a username password - again I wanted control
based on username whether they should go via the parent/redirector or not

# testing authentication
acl nothing_auth proxy_auth "/etc/squid/acl/nothing_auth"
http_access allow nothing_auth
always_direct allow nothing_auth
redirector_access deny nothing_auth

acl everything_auth proxy_auth "/etc/squid/acl/everything_auth"
http_access allow everything_auth
never_direct allow everything_auth
redirector_access allow everything_auth

Which seemed to work but I noticed an IP I had in
"/etc/squid/acl/everything" which was going via the parent and redirector
started going direct? If I comment out all my proxy_auth lines and restart
squid all works again. Can you mix proxy_auth and IP based ACL's like this?
Other relevant bits of my squid.conf below

url_rewrite_program /usr/bin/squidguard
url_rewrite_children 10

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid.users
auth_param basic children 5
auth_param basic realm web filter
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
Received on Tue Apr 08 2008 - 03:14:09 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT