Re: [squid-users] Need help in integrating squid and samba

From: Avinash Rao <avinash.aol_at_gmail.com>
Date: Thu, 10 Sep 2009 10:58:35 +0530

On Wed, Sep 9, 2009 at 12:56 PM, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> ons 2009-09-09 klockan 12:02 +0530 skrev Avinash Rao:
>
>> http_access allow staffgroup
>> http_access allow student staffgroup
>
> The above is wrong.
>
> The first directive allows everyone in staffgroup without restriction,
> which means the second can not be reached. Squid uses the first
> http_access line matching the request to determine if the request is
> allowed or denied, any http_access rules following that is ignored.
>
>> I am wondering if its really checking the NT group? I also tried using
>> the squid_unix_group option, but the result was the same.
>
> It most likely is, assuming you have no "proxy_auth REQUIRED" acl used
> in parts of squid.conf not shown here.
>
>> http_access deny extndeny
>> http_access deny purge
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>>
>> #http_access allow friends WORKING
>> #http_access deny friends
>> http_access deny abc
>> http_access deny videos
>>
>> http_access deny !AuthUsers
>
> Ok.
>
>> http_access allow staffgroup
>> http_access allow student staffgroup
>
> See above for why this is wrong. I guess the first of the two should
> go..
>
>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow purge localhost
>
> There is a "deny purge" rule missing here.
>
> And the whole block should be before your custom rules (i.e. first rules
> in http_access).
>
>> #http_access allow special_urls
>> #http_access deny extndeny download
>> http_access deny badurl
>> #http_access deny malware_block_list
>> #deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
>
> This deny need to go before where you allow access to be effective. But
> maybe it is.. Not entirely obvious to me who should get denied and who
> not.
>
>> http_access allow localhost
>> http_access allow lan
>> http_access deny all
>
> Ok.
>
> Regards
> Henrik
>
>
>

Henrik,

I understood what you said, I removed the conflicting entry,
http_access allow staffgroup and yes my config has:

acl AuthUsers proxy_auth REQUIRED
http_access deny !AuthUsers

But the result was the same. The time restriction is not working.

Regards,
Avinash
Received on Thu Sep 10 2009 - 05:28:44 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 10 2009 - 12:00:02 MDT