On Wed, May 10, 2006 at 03:23:18PM +1000, mark_brimblecombe wrote: > I was woundering if someone could tell me what I'm doing > wrong with my squid.conf file. Yes. :) You need to keep in mind that "http_access" statements are considered from top to bottom. The first line that matches the criteria determines the action that is taken. Thus: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl SSL_ports port 443 563 > acl Safe_ports port 80 21 443 563 70 210 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > #acl Safe_ports port 8080 > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow password You don't have an ACL called "password" defined but I blame that on copy/paste and assume that you meant the "acl user_passwords" that you list later in your config. So if anyone authenticates successfully the access is granted and further "http_access" rules are not considered. > acl lan src 192.168.0.0/255.255.255.0 > acl lan1 src 192.168.1.0/255.255.255.0 > acl lan2 src 192.168.2.0/255.255.255.0 > acl lan3 src 192.168.3.0/255.255.255.0 > > acl restricted_sites url_regex -i myspace.com > acl restricted_sites url_regex -i schoolies.com > acl restricted_sites url_regex -i > killjeeseday.freewebpage.org/lol.html > acl restricted_sites url_regex -i earth.google.com > acl restircted_sites url_regex -i > kh.google.com/download/earth/index.html > acl restricted_sites url_regex -i 211.27.149.18/webbook > acl restricted_sites url_regex -i maps.google.com > acl restricted_sites url_regex -i runescape.com > acl restricted_sites url_regex -i runehq.com You should consider moving these domains into an external file and use acl restricted_sites url_regex -i "/etc/squid/restricted" > acl user_passwords proxy_auth REQUIRED > > http_access deny !restricted_sites lan > http_access deny !restricted_sites lan1 > http_access deny !restricted_sites lan2 > http_access deny !restricted_sites lan3 These rules will not be executed because a previous rule matched already. I would suggest something more like: acl lan src 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 acl restricted_sites url_regex -i "/etc/squid/restricted" http_access deny !restricted lan http_access allow authenticated http_access deny all Kindly Christoph
