espoire20 wrote:
>
>
> Amos Jeffries-2 wrote:
>> espoire20 wrote:
>>>
>>> Chris Robertson-2 wrote:
>>>> espoire20 wrote:
>>>>> Matt Harrison-3 wrote:
>>>>>
>>>>>> espoire20 wrote:
>>>>>>
>>>>>>> have a small problem with squid in access list, I need to block an IP
>>>>>>> address
>>>>>>> of a machine does not connect to internet even if it has the address
>>>>>>> of
>>>>>>> the
>>>>>>> proxy and port in the Internet option is that it is possible ?
>>>>>>>
>>>>>>>
>>>>>>> because I have some person who installs firefox mozzila he put the
>>>>>>> address
>>>>>>> of the proxy and the port it connects or it connects with a user of
>>>>>>> another
>>>>>>> person
>>>>>>>
>>>>>>> i use this but not working :
>>>>>>>
>>>>>>> acl user1 src 10.60.6.7
>>>>>>> httpd_access deny user1
>>>>>>>
>>>>>> Try it with
>>>>>>
>>>>>> http_access deny user1
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>>
>>>>> excuse me i mean http not httpd but not working
>>>>>
>>>>> I will explain you, I blocked internet for everyone ,if anyone wants
>>>>> internet I add the proxy address and port in the explorer but I need
>>>>> blocked
>>>>> IP address not to access the internet even if it adds proxy ip and port
>>>>> in
>>>>> the explorer
>>>>>
>>>>> what we can do ???
>>>>>
>>>> Share the rest of your config (preferably without comments and blank
>>>> lines), or read the FAQ on ACLs
>>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
>>>> allowing the traffic somewhere before the deny statement.
>>>>
>>>>> many thanks
>>>>>
>>>> Chris
>>>>
>>>>
>>>>
>>> this is my all acl that i have in my squid file :
>>>
>>>
>>> # TAG: acl
>>> acl ntlm proxy_auth REQUIRED
>>>
>>>
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>>
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>> #
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>> acl test src 10.60.6.7
>>>
>>> # TAG: http_access
>> Which does the following *** IN THIS ORDER ***:
>>
>>
>>> http_access allow ntlm
>> If person is logged in. They can do anything. absolutely anything.
>>
>> If not logged in ... one of the following happens...
>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>> Prevents people who have not logged in from doing unsafe stuff...
>>
>> If not doing dangerous stuff one of the following happens...
>>
>>> http_access allow localnet
>> Allows anyone from the local network who has not logged in to do anything.
>>
>> ...
>>
>>> http_access allow localhost
>> Allows the local machine
>>
>> ...
>>> http_access deny all
>> Denies all other access. The End.
>>
>>> http_access deny test
>> Never matches. "deny all" already caught last remaining requests which
>> were not logged in, came from local network, localhost, or doing
>> dangerous stuff.
>>
>>
>>
>> To fix your problem:
>> move "deny test" to somewhere above the first "allow" line.
>>
>>
>> Also you need to:
>> * consider moving "allow ntlm" down below the security settings to
>> just above "allow localnet".
>> * consider whether the people on localnet ranges are truly allowed to
>> do anything anyway *** when login fails ***.
>>
>>
>> Amos
>
> thank you Amos
>
> i made :http_access deny test after http_access allow ntlm but not working
^^^^^
I said "before" first allow. You placed it "after" first allow.
NTLM auth is silent and usually happens without users doing anything
("single sign-on"). The browser can be expected to authenticate them.
> whene they put the addresse proxy of the end of browser they can connect
Sorry, I do not understand the sentence above. ?
When they put the address where?
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9Received on Thu Jul 16 2009 - 11:37:37 MDT
This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT