> -----Original Message----- > From: Covington, Chris [mailto:Chris.Covington@xxxxxxxxxxx] > Sent: Thursday, September 01, 2005 8:45 AM > To: rob@xxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxx > Subject: Re: deny authenticated users to dstdomain > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Covington, Chris wrote: > > > Hi all, > > > > > > I'd like to deny some domains after people have authenticated. I > > > tried > > > this: > > > > > > acl NoAccess dstdomain .aim.com > > > acl NoAccess proxy_auth REQUIRED > > > acl AuthorizedUsers proxy_auth REQUIRED http_access deny NoAccess > > > http_access allow AuthorizedUsers > > > > > > But apparently this isn't allowed: > > > > > > 2005/09/01 10:52:12| aclParseAclLine: ACL 'NoAccess' already exists > > > with different type. > > > FATAL: Bungled squid2.conf line 1874: acl NoAccess proxy_auth REQUIRED > > > Squid Cache (Version 2.5.STABLE10): Terminated abnormally. > > > > > > What's the best way to do this? > > > > Remove line 1874. It's conflicting with the `deny NoAccess' line. > > That line is: > > acl NoAccess dstdomain .aim.com > > If I do that, how will I define which sites are not allowed access? > > --- > Chris Covington > IT > Plus One Health Management > 75 Maiden Lane Suite 801 > NY, NY 10038 > 646-312-6269 > http://www.plusoneactive.com > The problem is you have used one ACL name (NoAccess) with two different ACL types (dstdomain and proxy_auth). Give the two ACLs different names, and make either a combined http_access rule using those ACLs or sequential http_access rules to server your goal. For example... acl NoAccess dstdomain .aim.com acl authentication proxy_auth REQUIRED acl myNet src 192.168.0.0/24 http_access deny !authentication http_access deny NoAccess http_access allow myNet http_access deny all ...would allow access to those people who 1) have authenticated 2) are not trying to surf to *.aim.com and 3) are originating from 192.168.0.0/24. The Squid FAQ (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html) has more details. Chris