paul cooper wrote:
> 4 users , 1 machine, with squid running and a GUI
>
>
>
> Im having problems getting the time-based ACLs sorted. To test it ive
> added a sat/sun ACL which should allow access between 08:00 and 10:00
>
>
Your time ACL appears to be working. It's your usage of http_access
thats screwing things up. Check the lines saying "request ALLOWED
because it matched".
>
> Config 1
>
> hepworth emma # cat /etc/squid/squid.conf |grep ^acl
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 22 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl andrew proxy_auth REQUIRED
> acl emma proxy_auth REQUIRED
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
> acl weekends time SA 08:00-10:00
> acl beforeschool time MTWHF 07:30-09:00
> acl afterschool time MTWHF 16:00-20:00
> hepworth emma # cat /etc/squid/squid.conf |grep ^http
> http_port 3128
> http_access allow emma weekends
- fails on first test sequence
- allow request on second sequence
> http_access allow Safe_ports
- allow request on first sequence
- never reached on second
> http_access allow andrew
- never reached
> http_access deny localhost
- never reached
> http_access deny all
- never reached.
>
> it asks me for a login (emma) and then gives access
>
<snip>
> 2008/03/23 16:05:44| The request GET http://grolma.no-ip.org/ is DENIED,
> because it matched 'emma'
... bounce for login.
<snip>
> 2008/03/23 16:05:50| The request GET http://grolma.no-ip.org/ is ALLOWED,
> because it matched 'Safe_ports'
... bingo!
>
> so i negate the time , and it still gives me access
>
> hepworth emma # cat /etc/squid/squid.conf |grep ^http
> http_port 3128
> http_access allow emma !weekends
> http_access allow Safe_ports
> http_access allow andrew
> http_access deny localhost
> http_access deny all
> hepworth emma #
<snip>
> 2008/03/23 16:10:41| The request GET http://grolma.no-ip.org/ is DENIED,
> because it matched 'emma'
... bounce for login again.
<snip>
> 2008/03/23 16:10:47| The request GET http://grolma.no-ip.org/ is ALLOWED,
> because it matched 'weekends'
... boing!
<snip>
>
> so i try denying emma and it gives me access without asking for a username
>
> hepworth emma # cat /etc/squid/squid.conf |grep ^http
> http_port 3128
> http_access allow Safe_ports
- accepts all port 80 requests.
> http_access allow andrew
- never reached
> http_access deny localhost
- never reached
> http_access deny emma
- never reached
> http_access deny all
- never reached
> hepworth emma #
>
<snip>
> 2008/03/23 16:14:32| The request GET http://grolma.no-ip.org/ is ALLOWED,
> because it matched 'Safe_ports'
.. bingo! on the first line.
<snip>
>
> I think its giving me access from localhost.
> Ive commented out all the default localhost configs and added http_acess
> deny localhost but its not stopping it
> How do i configure this ?
>
>
Drop the global access to Safe_ports. And I do mean GLOBAL. You have an
open-proxy on your hands.
It's best to use:
http_access deny !Safe_ports
to only use Safe_ports for blocking unsafe port usage.
Amos
-- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.Received on Sun Mar 23 2008 - 23:25:54 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT