Hello Henrik,
I have followed the codes you suggested ..but the same problem still occurs
(I mean .. nodownload still can do download process, what I need is
nodownload is contained the IP addresses who can browse to the internet but
they are not allowed to download files from the internet) ..
acl download urlpath_regex -i \.zip$
acl office_hours time 09:00-17:00
acl GET method GET
acl itperson src 192.168.1.88 192.168.1.89
acl nodownload src 192.168.1.10 192.168.1.11
http_access deny nodownload GET office_hour
http_access allow nodownload
http_access allow itperson
http_access deny all.
many thanks in advance
Regards
Winan
-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Thursday, May 22, 2003 6:21 PM
To: winanjaya@lippogeneral.com
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] How to configure squid for denying users
tododownload process for specified time range?
tor 2003-05-22 klockan 11.34 skrev Winanjaya:
> http_access allow it_user1
> http_access allow it_user2
> http_access allow nodownload1
> http_access allow nodownload2
>
> http_access deny GET office_hours nodownload1 nodownload2
> http_access deny all
There is two errors here:
a) You have already allowed access in the lines above.. the order of you
http_access rules is important. The first matching http_access line
tells if the request is allowed or denied.
b) nodownload1 and nodownload2 is conflicting. A single request cannot
come both from src 192.168.1.10 and src 192.168.1.11.
What you should do is to
1. Move the http_access deny line up before your allow lines.
2. Merge your nodownload* acls into one single nodownload acl including
all the ip addresses. You should probably also do the same with the
it_user* acls..
Which gives a configuration looking something like this:
acl download urlpath_regex -i \.exe$
acl office_hours time 09:00-17:00
acl GET method GET
acl it_user src 192.168.1.88 192.168.1.89
acl nodownload src 192.168.1.10 192.168.1.11
http_access deny nodownload GET office_hour
http_access allow nodownload
http_access allow it_user
http_access deny all.
Note: You may split the acl definitions on multiple lines if you prefer.
acl nodownload src 192.168.1.10
acl nodownload src 192.168.1.11
Or have the IP addresses in a separate file (one address per line)
acl nodownload src "/path/to/nodownload.txt"
Regards
Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract. If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.com ----------------------------------------- (on viruswall.lippogeneral.com) Powered by Interscan VirusWall ---------------------------------------------------------Received on Thu May 22 2003 - 20:57:03 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:53 MST