[squid-users] Re: squid time acls + auth acls

From: Adam Aube <aaube01@dont-contact.us>
Date: Thu, 02 Dec 2004 21:41:33 -0500

Alberto Sierra wrote:

> i want to achieve the following goals:
>
> VIP clients (10.1.1.40-10.1.1.50) always internet
> supervisors (using username/password)
> rest of the people: time acl-dependent

> my current setup is this:

> acl safe_list dstdomain "/etc/squid/safe_list"
> acl ViP src 10.1.1.40-10.1.1.50/32
> acl work time MTWHF 15:00-19:50
> acl sat time A 00:00-23:59
> acl time1 time S 09:00-10:10
> acl time2 time S 11:15-11:45
> acl time3 time S 12:30-13:20
> acl time4 time S 14:45-15:15
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
>
> http_access allow ViP
> http_access allow safe_list
> # deny access to dansguardian by time:
> http_access deny localhost time1
> http_access deny localhost time2
> http_access deny localhost time3
> http_access deny localhost time4

> now, i have first to uncomment the line
>
> acl password proxy_auth REQUIRED
> http_access allow localhost password
>
> for the authentication to work, but my question then is if i can put 3
> ACLs together like:
>
> http_access deny localhost password !work
>
> or how can i address this situation??

That is valid syntax, but will not achieve what you seem to want. That will
block access to authenticated users outside the times defined by "work". To
get what you want, you should have:

http_access allow localhost work
http_access allow localhost password
http_access deny all

BTW, why are you using "localhost" in all the http_access lines? You do
realize that will only match if the client is running on the same physical
system as Squid, right?

Adam
Received on Thu Dec 02 2004 - 19:41:46 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST