Re: [squid-users] user problem

Amos Jeffries-2 wrote:
>
> espoire20 wrote:
>>
>>
>> Chris Robertson-2 wrote:
>>> espoire20 wrote:
>>>> Matt Harrison-3 wrote:
>>>>
>>>>> espoire20 wrote:
>>>>>
>>>>>> have a small problem with squid in access list, I need to block an IP
>>>>>> address
>>>>>> of a machine does not connect to internet even if it has the address
>>>>>> of
>>>>>> the
>>>>>> proxy and port in the Internet option is that it is possible ?
>>>>>>
>>>>>>
>>>>>> because I have some person who installs firefox mozzila he put the
>>>>>> address
>>>>>> of the proxy and the port it connects or it connects with a user of
>>>>>> another
>>>>>> person
>>>>>>
>>>>>> i use this but not working :
>>>>>>
>>>>>> acl user1 src 10.60.6.7
>>>>>> httpd_access deny user1
>>>>>>
>>>>> Try it with
>>>>>
>>>>> http_access deny user1
>>>>>
>>>>> HTH
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>> excuse me i mean http not httpd but not working
>>>>
>>>> I will explain you, I blocked internet for everyone ,if anyone wants
>>>> internet I add the proxy address and port in the explorer but I need
>>>> blocked
>>>> IP address not to access the internet even if it adds proxy ip and port
>>>> in
>>>> the explorer
>>>>
>>>> what we can do ???
>>>>
>>> Share the rest of your config (preferably without comments and blank
>>> lines), or read the FAQ on ACLs
>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
>>> allowing the traffic somewhere before the deny statement.
>>>
>>>> many thanks
>>>>
>>> Chris
>>>
>>>
>>>
>>
>> this is my all acl that i have in my squid file :
>>
>>
>> # TAG: acl
>> acl ntlm proxy_auth REQUIRED
>>
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>>
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> #
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl test src 10.60.6.7
>>
>> # TAG: http_access
>
> Which does the following *** IN THIS ORDER ***:
>
>
>> http_access allow ntlm
>
> If person is logged in. They can do anything. absolutely anything.
>
> If not logged in ... one of the following happens...
>
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>
> Prevents people who have not logged in from doing unsafe stuff...
>
> If not doing dangerous stuff one of the following happens...
>
>> http_access allow localnet
>
> Allows anyone from the local network who has not logged in to do anything.
>
> ...
>
>> http_access allow localhost
>
> Allows the local machine
>
> ...
>> http_access deny all
>
> Denies all other access. The End.
>
>> http_access deny test
>
> Never matches. "deny all" already caught last remaining requests which
> were not logged in, came from local network, localhost, or doing
> dangerous stuff.
>
>
>
> To fix your problem:
> move "deny test" to somewhere above the first "allow" line.
>
>
> Also you need to:
> * consider moving "allow ntlm" down below the security settings to
> just above "allow localnet".
> * consider whether the people on localnet ranges are truly allowed to
> do anything anyway *** when login fails ***.
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
> Current Beta Squid 3.1.0.9
>
>

thank you Amos

i made :http_access deny test after http_access allow ntlm but not working
whene they put the addresse proxy of the end of browser they can connect

many thanks

-- 
View this message in context: http://www.nabble.com/user-problem-tp24458799p24514644.html
Sent from the Squid - Users mailing list archive at Nabble.com.