espoire20 wrote:
>
>
> Amos Jeffries-2 wrote:
>> espoire20 wrote:
>>>
>>> Amos Jeffries-2 wrote:
>>>> espoire20 wrote:
>>>>> Chris Robertson-2 wrote:
>>>>>> espoire20 wrote:
>>>>>>> Matt Harrison-3 wrote:
>>>>>>>
>>>>>>>> espoire20 wrote:
>>>>>>>>
>>>>>>>>> have a small problem with squid in access list, I need to block an
>>>>>>>>> IP
>>>>>>>>> address
>>>>>>>>> of a machine does not connect to internet even if it has the
>>>>>>>>> address
>>>>>>>>> of
>>>>>>>>> the
>>>>>>>>> proxy and port in the Internet option is that it is possible ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> because I have some person who installs firefox mozzila he put the
>>>>>>>>> address
>>>>>>>>> of the proxy and the port it connects or it connects with a user of
>>>>>>>>> another
>>>>>>>>> person
>>>>>>>>>
>>>>>>>>> i use this but not working :
>>>>>>>>>
>>>>>>>>> acl user1 src 10.60.6.7
>>>>>>>>> httpd_access deny user1
>>>>>>>>>
>>>>>>>> Try it with
>>>>>>>>
>>>>>>>> http_access deny user1
>>>>>>>>
>>>>>>>> HTH
>>>>>>>>
>>>>>>>> Matt
>>>>>>>>
>>>>>>>>
>>>>>>> excuse me i mean http not httpd but not working
>>>>>>>
>>>>>>> I will explain you, I blocked internet for everyone ,if anyone wants
>>>>>>> internet I add the proxy address and port in the explorer but I need
>>>>>>> blocked
>>>>>>> IP address not to access the internet even if it adds proxy ip and
>>>>>>> port
>>>>>>> in
>>>>>>> the explorer
>>>>>>>
>>>>>>> what we can do ???
>>>>>>>
>>>>>> Share the rest of your config (preferably without comments and blank
>>>>>> lines), or read the FAQ on ACLs
>>>>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
>>>>>> allowing the traffic somewhere before the deny statement.
>>>>>>
>>>>>>> many thanks
>>>>>>>
>>>>>> Chris
>>>>>>
>>>>>>
>>>>>>
>>>>> this is my all acl that i have in my squid file :
>>>>>
>>>>>
>>>>> # TAG: acl
>>>>> acl ntlm proxy_auth REQUIRED
>>>>>
>>>>>
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32
>>>>> acl to_localhost dst 127.0.0.0/8
>>>>>
>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>>> #
>>>>> acl SSL_ports port 443
>>>>> acl Safe_ports port 80 # http
>>>>> acl Safe_ports port 21 # ftp
>>>>> acl Safe_ports port 443 # https
>>>>> acl Safe_ports port 70 # gopher
>>>>> acl Safe_ports port 210 # wais
>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>> acl Safe_ports port 280 # http-mgmt
>>>>> acl Safe_ports port 488 # gss-http
>>>>> acl Safe_ports port 591 # filemaker
>>>>> acl Safe_ports port 777 # multiling http
>>>>> acl CONNECT method CONNECT
>>>>> acl test src 10.60.6.7
>>>>>
>>>>> # TAG: http_access
>>>> Which does the following *** IN THIS ORDER ***:
>>>>
>>>>
>>>>> http_access allow ntlm
>>>> If person is logged in. They can do anything. absolutely anything.
>>>>
>>>> If not logged in ... one of the following happens...
>>>>
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access deny !Safe_ports
>>>>> http_access deny CONNECT !SSL_ports
>>>> Prevents people who have not logged in from doing unsafe stuff...
>>>>
>>>> If not doing dangerous stuff one of the following happens...
>>>>
>>>>> http_access allow localnet
>>>> Allows anyone from the local network who has not logged in to do
>>>> anything.
>>>>
>>>> ...
>>>>
>>>>> http_access allow localhost
>>>> Allows the local machine
>>>>
>>>> ...
>>>>> http_access deny all
>>>> Denies all other access. The End.
>>>>
>>>>> http_access deny test
>>>> Never matches. "deny all" already caught last remaining requests which
>>>> were not logged in, came from local network, localhost, or doing
>>>> dangerous stuff.
>>>>
>>>>
>>>>
>>>> To fix your problem:
>>>> move "deny test" to somewhere above the first "allow" line.
>>>>
>>>>
>>>> Also you need to:
>>>> * consider moving "allow ntlm" down below the security settings to
>>>> just above "allow localnet".
>>>> * consider whether the people on localnet ranges are truly allowed to
>>>> do anything anyway *** when login fails ***.
>>>>
>>>>
>>>> Amos
>>> thank you Amos
>>>
>>> i made :http_access deny test after http_access allow ntlm but not
>>> working
>> ^^^^^
>>
>> I said "before" first allow. You placed it "after" first allow.
>>
>> NTLM auth is silent and usually happens without users doing anything
>> ("single sign-on"). The browser can be expected to authenticate them.
>>
>>
>>> whene they put the addresse proxy of the end of browser they can connect
>> Sorry, I do not understand the sentence above. ?
>>
>> When they put the address where?
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>> Current Beta Squid 3.1.0.9
>>
>>
>
> Hi
> i mean in the internt options ---> Connections ------->Local Area Network
> they add the adresse of Proxy after they can connect
>
> but now i blocked the ip adresse i placed before" first allow like you said
> i think it s working
>
> can i ask anthor question ?
Always, and as always you may or may not get an answer. ;)
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11Received on Mon Jul 20 2009 - 11:33:24 MDT
This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT