Have you understood the syntax of http_accept?
It is basically
http_accept accept/deny IF a AND b AND c AND d ...
OR
http_access accept/deny IF e AND f AND g AND g ...
So what your http_accept lines are saying are:
1. Allow ANY authenticated users to reach ANY site
[ends here, as users not able to present a valid authentication will be
asked to authenticate again..]
Lets take a hypothetical example:
a) All your users MUST authenticate
b) Users in subnet A can only go to certain sites
c) Users in other local subnets can go anywhere
acl authenticated proxy_auth REQUIRED
acl restricted-net src 192.168.1.0/24
acl our-net src 192.168.0.0-192.168.12.0/24
acl open-sites dst www.example.com demo.example.com
acl open-stations 192.168.0.4 192.168.0.5 192.168.4.38
# Deny access from users outside our networks
http_access deny !our-net
# Access to the open sites are allowed for anyone. No need
# for authentication to access these.
http_access allow open-sites
# Users in the restricted network are not allowed to access anything
http_access deny restricted-net
# Users on the open stations are allowed to access anything without
authentication
http_access allow open-stations
# Any other users in our network must authenticate themselves
http_access allow authenticated
-- Henrik Nordstrom Squid hacker Joel Taqueban wrote: > > Henrik, > > I hope you wouldn't mind if I try to brought this problem again. It > still have this problem and I tried a number of times playing with the > ACLs but still I can't restrict some IPs or hosts from accessing only a > particular domain. What is a better way of doing this really? > > Joel > > Henrik Nordstrom wrote: > > > You allow all ldap users access to everything without restrictions. > > > > -- > > Henrik Nordstrom > > Squid hacker > > > > Joel Taqueban wrote: > > > > > > Thanks for the reply, > > > > > > I've tried making changes to the ACLs. Here is my complete list: > > > > > > acl all src 0.0.0.0/0 > > > acl ldap proxy_auth REQUIRED > > > acl allowedsites dstdomain dhl.com > > > acl allowedhosts src 199.40.218.10-15 > > > acl allowedtime time S M T W H F A 06:00-21:00 > > > > > > http_access allow ldap > > > http_access allow allowedhosts allowedsites > > > http_access allow allowedtime > > > http_access deny all > > > > > > did squid -k reconfigure but still those IPs could still access > > > non-DHL sites > > > And when I look into the cache.log file I can't see any warnings on > > > missing ACL declarations after re-reading the Squid conf file. I > > > even do a "squid --" and it doesn't return me about missing ACLs. > > > > > > Anything or anywhere I need to check please? > > > > > > Joel > > > > > > Henrik Nordstrom wrote: > > > > > > alowe@hislora.com.au wrote: > > > > > > > > try this modified stuff: > > > > > > > > > How do I define on my squid.conf file to restrict > > > particular IPs to > > > > > access only certain domains? > > > > > > > > > > I've tried doing the ff: > > > > > > > > > > acl allowedsites dstdomain dhl.com > > > > > acl allowedhost src 199.40.218.10-15/255.255.255.0 > > > > > > > > > ># Remove this line--> http_access allow allowedsites > > > > > http_access allow allowedhost allowed_sites > > > > > http_access deny all > > > > > > > > the line marked remove is actually allowing the > > > allowedsites to access > > > > anything, by just putting the second and third line, you > > > allow them to the > > > > allowed_sites but nowhere else... > > > > > > Not quite. > > > > > > The first line allows everyone access to the host dhl.com. > > > > > > The second line is bungled in two ways: > > > a) There is no allowed_sites ACL defined > > > b) The allowedsites ACL is wrongly defined if your intention > > > is to only > > > match those 6 addresses. The netmask masks out the addresses > > > and the ACL > > > matches the whole class-C subnet. IP host ranges are better > > > written > > > without any netmask. > > > > > > However, this does not explain the behaviour you are seeing. > > > > > > Is there any other http_access lines before your "deny all" > > > line? > > > Is there any warnings about missing ACL declarations in > > > cache.log when > > > Squid is starting up? > > > How is the ACL "all" defined? It SHOULD and MUST be defined > > > as > > > 0.0.0.0/0, nothing else. > > > > > > -- > > > Henrik Nordstrom > > > Squid hackerReceived on Sat May 27 2000 - 06:46:14 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:34 MST