espoire20 wrote:
>
>
> Chris Robertson-2 wrote:
>> espoire20 wrote:
>>> Matt Harrison-3 wrote:
>>>
>>>> espoire20 wrote:
>>>>
>>>>> have a small problem with squid in access list, I need to block an IP
>>>>> address
>>>>> of a machine does not connect to internet even if it has the address of
>>>>> the
>>>>> proxy and port in the Internet option is that it is possible ?
>>>>>
>>>>>
>>>>> because I have some person who installs firefox mozzila he put the
>>>>> address
>>>>> of the proxy and the port it connects or it connects with a user of
>>>>> another
>>>>> person
>>>>>
>>>>> i use this but not working :
>>>>>
>>>>> acl user1 src 10.60.6.7
>>>>> httpd_access deny user1
>>>>>
>>>> Try it with
>>>>
>>>> http_access deny user1
>>>>
>>>> HTH
>>>>
>>>> Matt
>>>>
>>>>
>>> excuse me i mean http not httpd but not working
>>>
>>> I will explain you, I blocked internet for everyone ,if anyone wants
>>> internet I add the proxy address and port in the explorer but I need
>>> blocked
>>> IP address not to access the internet even if it adds proxy ip and port
>>> in
>>> the explorer
>>>
>>> what we can do ???
>>>
>> Share the rest of your config (preferably without comments and blank
>> lines), or read the FAQ on ACLs
>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
>> allowing the traffic somewhere before the deny statement.
>>
>>> many thanks
>>>
>> Chris
>>
>>
>>
>
> this is my all acl that i have in my squid file :
>
>
> # TAG: acl
> acl ntlm proxy_auth REQUIRED
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> #
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl test src 10.60.6.7
>
> # TAG: http_access
Which does the following *** IN THIS ORDER ***:
> http_access allow ntlm
If person is logged in. They can do anything. absolutely anything.
If not logged in ... one of the following happens...
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
Prevents people who have not logged in from doing unsafe stuff...
If not doing dangerous stuff one of the following happens...
> http_access allow localnet
Allows anyone from the local network who has not logged in to do anything.
...
> http_access allow localhost
Allows the local machine
...
> http_access deny all
Denies all other access. The End.
> http_access deny test
Never matches. "deny all" already caught last remaining requests which
were not logged in, came from local network, localhost, or doing
dangerous stuff.
To fix your problem:
move "deny test" to somewhere above the first "allow" line.
Also you need to:
* consider moving "allow ntlm" down below the security settings to
just above "allow localnet".
* consider whether the people on localnet ranges are truly allowed to
do anything anyway *** when login fails ***.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9Received on Wed Jul 15 2009 - 13:50:30 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 16 2009 - 12:00:03 MDT