Re: [squid-users] access control problems

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 15 Mar 2010 10:56:16 +1300

On Sun, 14 Mar 2010 08:30:53 -0700 (PDT), Landy Landy
<landysaccount_at_yahoo.com> wrote:
> Hello.
>
> I'm trying to block a all my users to use the internet except for a few
of
> them. I'm trying to do this with acl but, is not working. Here's part of
> the squid.conf:
>
> # Port Squid listens on
> http_port 172.16.0.1:3128 transparent
>
> # Access-lists (ACLs) will permit or deny hosts to access the proxy
> acl lan-access src 172.16.0.0/16
> acl proxy src 172.16.0.1
> acl localhost src 127.0.0.1
>
> acl CONNECT method CONNECT
>
> acl allowed src "/etc/ipaddress/ipAllowed"
>
> # Access rule
> http_access allow proxy

Does it work when you remove the above line?

I've only seen that type of allow needed was when iptables rules got
broken by NAT happening on a remote box, changing all client addresses to
be identical to the proxy one.
The agents on the proxy box can be configured to use localhost safely.

> http_access allow localhost
>
> #---- Block some sites
>
> acl blockanalysis01 dstdomain .scorecardresearch.com
> .google-analytics.com
> acl blockads01 dstdomain .rad.msn.com ads1.msn.com ads2.msn.com
> ads3.msn.com ads4.msn.com
> acl blockads02 dstdomain .adserver.yahoo.com
> pagead2.googlesyndication.com ad.yieldmanager.com
> acl blockads03 dstdomain .doubleclick.net
> http_access deny blockanalysis01
> http_access deny blockads01
> http_access deny blockads02
> http_access deny blockads03
>

NP: You can combine those ads lists to the one ACL name if you want an
easier config.

> #######################################
>
> http_access allow allowed
> #http_access allow lan-access

Just to be clear and see exactly what is happening this would be good to
add right here in the rules:

  http_access deny all

>
>
> ---------
> in ipAllowed there are 4 ip addresses:
>
> 172.16.250.1
> 172.16.250.12
> 172.16.254.13
>
> Everyone is allowed to the internet.
>
> What am I doing wrong?

Mostly looks good, all I can see is that NAT possibility. Your Squid rules
should be working as you wanted.

Amos
Received on Sun Mar 14 2010 - 21:56:21 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 15 2010 - 12:00:04 MDT