Re: [squid-users] user problem

From: espoire20 <zakariase2002_at_yahoo.fr>
Date: Mon, 20 Jul 2009 01:45:20 -0700 (PDT)

Amos Jeffries-2 wrote:
>
> espoire20 wrote:
>>
>>
>> Amos Jeffries-2 wrote:
>>> espoire20 wrote:
>>>>
>>>> Chris Robertson-2 wrote:
>>>>> espoire20 wrote:
>>>>>> Matt Harrison-3 wrote:
>>>>>>
>>>>>>> espoire20 wrote:
>>>>>>>
>>>>>>>> have a small problem with squid in access list, I need to block an
>>>>>>>> IP
>>>>>>>> address
>>>>>>>> of a machine does not connect to internet even if it has the
>>>>>>>> address
>>>>>>>> of
>>>>>>>> the
>>>>>>>> proxy and port in the Internet option is that it is possible ?
>>>>>>>>
>>>>>>>>
>>>>>>>> because I have some person who installs firefox mozzila he put the
>>>>>>>> address
>>>>>>>> of the proxy and the port it connects or it connects with a user of
>>>>>>>> another
>>>>>>>> person
>>>>>>>>
>>>>>>>> i use this but not working :
>>>>>>>>
>>>>>>>> acl user1 src 10.60.6.7
>>>>>>>> httpd_access deny user1
>>>>>>>>
>>>>>>> Try it with
>>>>>>>
>>>>>>> http_access deny user1
>>>>>>>
>>>>>>> HTH
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>>
>>>>>> excuse me i mean http not httpd but not working
>>>>>>
>>>>>> I will explain you, I blocked internet for everyone ,if anyone wants
>>>>>> internet I add the proxy address and port in the explorer but I need
>>>>>> blocked
>>>>>> IP address not to access the internet even if it adds proxy ip and
>>>>>> port
>>>>>> in
>>>>>> the explorer
>>>>>>
>>>>>> what we can do ???
>>>>>>
>>>>> Share the rest of your config (preferably without comments and blank
>>>>> lines), or read the FAQ on ACLs
>>>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
>>>>> allowing the traffic somewhere before the deny statement.
>>>>>
>>>>>> many thanks
>>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>>
>>>> this is my all acl that i have in my squid file :
>>>>
>>>>
>>>> # TAG: acl
>>>> acl ntlm proxy_auth REQUIRED
>>>>
>>>>
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/32
>>>> acl to_localhost dst 127.0.0.0/8
>>>>
>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>> #
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>> acl test src 10.60.6.7
>>>>
>>>> # TAG: http_access
>>> Which does the following *** IN THIS ORDER ***:
>>>
>>>
>>>> http_access allow ntlm
>>> If person is logged in. They can do anything. absolutely anything.
>>>
>>> If not logged in ... one of the following happens...
>>>
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>> Prevents people who have not logged in from doing unsafe stuff...
>>>
>>> If not doing dangerous stuff one of the following happens...
>>>
>>>> http_access allow localnet
>>> Allows anyone from the local network who has not logged in to do
>>> anything.
>>>
>>> ...
>>>
>>>> http_access allow localhost
>>> Allows the local machine
>>>
>>> ...
>>>> http_access deny all
>>> Denies all other access. The End.
>>>
>>>> http_access deny test
>>> Never matches. "deny all" already caught last remaining requests which
>>> were not logged in, came from local network, localhost, or doing
>>> dangerous stuff.
>>>
>>>
>>>
>>> To fix your problem:
>>> move "deny test" to somewhere above the first "allow" line.
>>>
>>>
>>> Also you need to:
>>> * consider moving "allow ntlm" down below the security settings to
>>> just above "allow localnet".
>>> * consider whether the people on localnet ranges are truly allowed to
>>> do anything anyway *** when login fails ***.
>>>
>>>
>>> Amos
>>
>> thank you Amos
>>
>> i made :http_access deny test after http_access allow ntlm but not
>> working
>
> ^^^^^
>
> I said "before" first allow. You placed it "after" first allow.
>
> NTLM auth is silent and usually happens without users doing anything
> ("single sign-on"). The browser can be expected to authenticate them.
>
>
>> whene they put the addresse proxy of the end of browser they can connect
>
> Sorry, I do not understand the sentence above. ?
>
> When they put the address where?
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
> Current Beta Squid 3.1.0.9
>
>

Hi
i mean in the internt options ---> Connections ------->Local Area Network
they add the adresse of Proxy after they can connect

but now i blocked the ip adresse i placed before" first allow like you said
i think it s working

can i ask anthor question ?

many thanks for your help

-- 
View this message in context: http://www.nabble.com/user-problem-tp24458799p24565961.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Mon Jul 20 2009 - 08:45:24 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT