RE: [squid-users] Having trouble denying http_access to the proxy from Volker-Yoblick, Adam on 2010-12-22 (squid-users)

From: Volker-Yoblick, Adam <avolker_at_ea.com>
Date: Wed, 22 Dec 2010 08:59:00 -0800

Thanks so much, that solved the problem. Looks like I had the syntax wrong for allowing a specific group of machines access to a specific IP range.

Thanks again!

-----Original Message-----
From: John Doe [mailto:guest01_at_gmail.com]
Sent: Wednesday, December 22, 2010 11:55 AM
To: Volker-Yoblick, Adam
Cc: 'squid-users_at_squid-cache.org'
Subject: Re: [squid-users] Having trouble denying http_access to the proxy

On 12/22/2010 05:43 PM, Volker-Yoblick, Adam wrote:
> Greetings,
>
> I seem to be having some trouble denying access to my proxy. I'm running squid 3.1.9. Here's the relevant part of my squid.conf:
>
> # my machine only
> acl myMachine src 10.8.144.43
>
> # some destination servers
> acl dest1 dst 10.8.110.13
> acl dest2 dst 10.8.110.14
> acl dest3 dst 10.10.12.213
>
> # allow access to the specified servers, deny to everything else
> http_access allow myMachine
> http_access allow dest1
> http_access allow dest2
> http_access allow dest3
> http_access deny all
>
> (I've commented out the "http_access allow localnet" and "http_access
> allow localhost" lines)
>
> I'm connecting from 10.8.145.177 and the proxy seems to forward the requests just fine. Nothing is cached, because I have some other cache options in my file, but I'm wondering why the request isn't denied.
>
> I also have some refresh_pattern options, but I believe those are only supposed to affect caching. Those should have no bearing on http access, correct?
>
> I've looked through the docs, and I can't figure out what I'm doing wrong.
>
> Anyone have any ideas?
>
> Thanks for your time,
>
> -Adam
>

just a quick guess ... first match counts

if you are surfing from 10.8.144.43, it works because of this acl:
http_access allow myMachine

if you are using from another src address to either dest1, dest2 or dest3, it works because of one of the next 3 acls. It will probably not work, if you are surfing to other destinations because it that case, the deny all will prevent it

if you only want to allow 10.8.144.43 to surf to one of these addresses, try this:
http_access allow myMachine dest1
http_access allow myMachine dest2
http_access allow myMachine dest3
http_access deny all

Now it should work.
Received on Wed Dec 22 2010 - 16:59:10 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 22 2010 - 12:00:03 MST