Re: [squid-users] user problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 16 Jul 2009 01:50:21 +1200

espoire20 wrote:
>
>
> Chris Robertson-2 wrote:
>> espoire20 wrote:
>>> Matt Harrison-3 wrote:
>>>
>>>> espoire20 wrote:
>>>>
>>>>> have a small problem with squid in access list, I need to block an IP
>>>>> address
>>>>> of a machine does not connect to internet even if it has the address of
>>>>> the
>>>>> proxy and port in the Internet option is that it is possible ?
>>>>>
>>>>>
>>>>> because I have some person who installs firefox mozzila he put the
>>>>> address
>>>>> of the proxy and the port it connects or it connects with a user of
>>>>> another
>>>>> person
>>>>>
>>>>> i use this but not working :
>>>>>
>>>>> acl user1 src 10.60.6.7
>>>>> httpd_access deny user1
>>>>>
>>>> Try it with
>>>>
>>>> http_access deny user1
>>>>
>>>> HTH
>>>>
>>>> Matt
>>>>
>>>>
>>> excuse me i mean http not httpd but not working
>>>
>>> I will explain you, I blocked internet for everyone ,if anyone wants
>>> internet I add the proxy address and port in the explorer but I need
>>> blocked
>>> IP address not to access the internet even if it adds proxy ip and port
>>> in
>>> the explorer
>>>
>>> what we can do ???
>>>
>> Share the rest of your config (preferably without comments and blank
>> lines), or read the FAQ on ACLs
>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
>> allowing the traffic somewhere before the deny statement.
>>
>>> many thanks
>>>
>> Chris
>>
>>
>>
>
> this is my all acl that i have in my squid file :
>
>
> # TAG: acl
> acl ntlm proxy_auth REQUIRED
>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
>
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> #
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl test src 10.60.6.7
>
> # TAG: http_access

Which does the following *** IN THIS ORDER ***:

> http_access allow ntlm

If person is logged in. They can do anything. absolutely anything.

If not logged in ... one of the following happens...

>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Prevents people who have not logged in from doing unsafe stuff...

If not doing dangerous stuff one of the following happens...

> http_access allow localnet

Allows anyone from the local network who has not logged in to do anything.

...

> http_access allow localhost

Allows the local machine

...
> http_access deny all

Denies all other access. The End.

> http_access deny test

Never matches. "deny all" already caught last remaining requests which
were not logged in, came from local network, localhost, or doing
dangerous stuff.

To fix your problem:
   move "deny test" to somewhere above the first "allow" line.

Also you need to:
   * consider moving "allow ntlm" down below the security settings to
just above "allow localnet".
  * consider whether the people on localnet ranges are truly allowed to
do anything anyway *** when login fails ***.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.9
Received on Wed Jul 15 2009 - 13:50:30 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 16 2009 - 12:00:03 MDT