Hi,
On Mon, 29 Oct 2001, Rainer Traut wrote:
> Hi,
> we want to deny access for a single ip,
Actually you want to allow one ip to go to a restricted set of sites and
nowhere else.
> but this ip is also in another access list.
> As far as i understood the first rule that matches
> is applied, but it doesn't work...
Yes it does. You have to understand the http_access lines. If "test" is
going to "sites" he is allowed by the first http_access line. If he is
not, that line doesn't match. However the checks don't stop there. Since
the "test" ip is also part of "surf_all", whenever "test" goes somewhere
other than "sites" he will be allowed by "http_access allow surf_all".
What you need to do is:
http_access allow test sites
http_access deny test
http_access allow surf_small sites
http_access allow surf_all
http_access allow manager
http_access deny all
Now, when "test" doesn't go to "sites" he is explicitly blocked.
> this is a part of our squid.conf.
> It works, only this one ip still cann surf everywhere.
>
> acl all src 0.0.0.0/0.0.0.0
> # this ip should access only allowed sites:
> acl test src 172.27.49.48/32
> # but it's also in here:
> acl surf_all src 172.27.49.0/24
> acl surf_small src 172.27.35.0/24
> acl sites dstdomain "/usr/local/squid/etc/erlaubt.url"
> http_access allow test sites
> http_access allow surf_small sites
> http_access allow surf_all
> http_access allow manager
> http_access deny all
>
> But he still can surf everywhere.
> Why?
> An what can I do?
> it's squid 2.4 stable2 running under linux mdk kernel 2.4.8.
>
> thanks
> Rainer
>
>
Colin
-- Colin Campbell Unix Support/Postmaster/Hostmaster CITEC +61 7 3006 4710Received on Mon Oct 29 2001 - 19:33:42 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:12 MST