espoire20 wrote:
>
>
>
> espoire20 wrote:
>>
>>
>>
>> Amos Jeffries-2 wrote:
>>>
>>> espoire20 wrote:
>>>>
>>>>
>>>> Amos Jeffries-2 wrote:
>>>>> espoire20 wrote:
>>>>>>
>>>>>> Chris Robertson-2 wrote:
>>>>>>> espoire20 wrote:
>>>>>>>> Matt Harrison-3 wrote:
>>>>>>>>
>>>>>>>>> espoire20 wrote:
>>>>>>>>>
>>>>>>>>>> have a small problem with squid in access list, I need to block
>>>>>>>>>> an IP
>>>>>>>>>> address
>>>>>>>>>> of a machine does not connect to internet even if it has the
>>>>>>>>>> address
>>>>>>>>>> of
>>>>>>>>>> the
>>>>>>>>>> proxy and port in the Internet option is that it is possible ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> because I have some person who installs firefox mozzila he put
>>>>>>>>>> the
>>>>>>>>>> address
>>>>>>>>>> of the proxy and the port it connects or it connects with a user
>>>>>>>>>> of
>>>>>>>>>> another
>>>>>>>>>> person
>>>>>>>>>>
>>>>>>>>>> i use this but not working :
>>>>>>>>>>
>>>>>>>>>> acl user1 src 10.60.6.7
>>>>>>>>>> httpd_access deny user1
>>>>>>>>>>
>>>>>>>>> Try it with
>>>>>>>>>
>>>>>>>>> http_access deny user1
>>>>>>>>>
>>>>>>>>> HTH
>>>>>>>>>
>>>>>>>>> Matt
>>>>>>>>>
>>>>>>>>>
>>>>>>>> excuse me i mean http not httpd but not working
>>>>>>>>
>>>>>>>> I will explain you, I blocked internet for everyone ,if anyone
>>>>>>>> wants
>>>>>>>> internet I add the proxy address and port in the explorer but I
>>>>>>>> need
>>>>>>>> blocked
>>>>>>>> IP address not to access the internet even if it adds proxy ip and
>>>>>>>> port
>>>>>>>> in
>>>>>>>> the explorer
>>>>>>>>
>>>>>>>> what we can do ???
>>>>>>>>
>>>>>>> Share the rest of your config (preferably without comments and blank
>>>>>>> lines), or read the FAQ on ACLs
>>>>>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
>>>>>>> allowing the traffic somewhere before the deny statement.
>>>>>>>
>>>>>>>> many thanks
>>>>>>>>
>>>>>>> Chris
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> this is my all acl that i have in my squid file :
>>>>>>
>>>>>>
>>>>>> # TAG: acl
>>>>>> acl ntlm proxy_auth REQUIRED
>>>>>>
>>>>>>
>>>>>> acl manager proto cache_object
>>>>>> acl localhost src 127.0.0.1/32
>>>>>> acl to_localhost dst 127.0.0.0/8
>>>>>>
>>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>>>> #
>>>>>> acl SSL_ports port 443
>>>>>> acl Safe_ports port 80 # http
>>>>>> acl Safe_ports port 21 # ftp
>>>>>> acl Safe_ports port 443 # https
>>>>>> acl Safe_ports port 70 # gopher
>>>>>> acl Safe_ports port 210 # wais
>>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>>> acl Safe_ports port 280 # http-mgmt
>>>>>> acl Safe_ports port 488 # gss-http
>>>>>> acl Safe_ports port 591 # filemaker
>>>>>> acl Safe_ports port 777 # multiling http
>>>>>> acl CONNECT method CONNECT
>>>>>> acl test src 10.60.6.7
>>>>>>
>>>>>> # TAG: http_access
>>>>> Which does the following *** IN THIS ORDER ***:
>>>>>
>>>>>
>>>>>> http_access allow ntlm
>>>>> If person is logged in. They can do anything. absolutely anything.
>>>>>
>>>>> If not logged in ... one of the following happens...
>>>>>
>>>>>> http_access allow manager localhost
>>>>>> http_access deny manager
>>>>>> http_access deny !Safe_ports
>>>>>> http_access deny CONNECT !SSL_ports
>>>>> Prevents people who have not logged in from doing unsafe stuff...
>>>>>
>>>>> If not doing dangerous stuff one of the following happens...
>>>>>
>>>>>> http_access allow localnet
>>>>> Allows anyone from the local network who has not logged in to do
>>>>> anything.
>>>>>
>>>>> ...
>>>>>
>>>>>> http_access allow localhost
>>>>> Allows the local machine
>>>>>
>>>>> ...
>>>>>> http_access deny all
>>>>> Denies all other access. The End.
>>>>>
>>>>>> http_access deny test
>>>>> Never matches. "deny all" already caught last remaining requests which
>>>>> were not logged in, came from local network, localhost, or doing
>>>>> dangerous stuff.
>>>>>
>>>>>
>>>>>
>>>>> To fix your problem:
>>>>> move "deny test" to somewhere above the first "allow" line.
>>>>>
>>>>>
>>>>> Also you need to:
>>>>> * consider moving "allow ntlm" down below the security settings to
>>>>> just above "allow localnet".
>>>>> * consider whether the people on localnet ranges are truly allowed
>>>>> to
>>>>> do anything anyway *** when login fails ***.
>>>>>
>>>>>
>>>>> Amos
>>>>
>>>> thank you Amos
>>>>
>>>> i made :http_access deny test after http_access allow ntlm but not
>>>> working
>>>
>>> ^^^^^
>>>
>>> I said "before" first allow. You placed it "after" first allow.
>>>
>>> NTLM auth is silent and usually happens without users doing anything
>>> ("single sign-on"). The browser can be expected to authenticate them.
>>>
>>>
>>>> whene they put the addresse proxy of the end of browser they can
>>>> connect
>>>
>>> Sorry, I do not understand the sentence above. ?
>>>
>>> When they put the address where?
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
>>> Current Beta Squid 3.1.0.9
>>>
>>>
>>
>> Hi
>> i mean in the internt options ---> Connections ------->Local Area Network
>> they add the adresse of Proxy after they can connect
>>
>> but now i blocked the ip adresse i placed before" first allow like you
>> said i think it s working
>>
>> can i ask anthor question ?
>>
>> many thanks for your help
>>
>
> it's possible to bloque user to connecte to internet in squid but this
> user is in the active directory because i use the same user for the active
> directory in the squid
>
> you know how can i do ????
>
>
urgent please please help me
i restart my server proxy after not working i try to access to krb5 and
resolv.conf i have this message :
No protocol specified
(gedit :2918) Gtk_Warnning**:cannot open dispay: 0.0
help me please please
-- View this message in context: http://www.nabble.com/user-problem-tp24458799p24624287.html Sent from the Squid - Users mailing list archive at Nabble.com.Received on Thu Jul 23 2009 - 11:57:33 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 23 2009 - 12:00:04 MDT