Bobby wrote:
Hi List,
I've been battling with this configuration and at this point I don't think I'm
seing straight. The idea is to have a few groups with some specific access
tables for each of them. But somehow, besides for manager, it either lets
them all through or none, rather than following the valid -http access lists.
Please help me see the errors of my way!
This is running on openbsd where pf is redirecting traffic from 80 to 3128 on
the loopback device.
--------------------------------------------------
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 5203
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl our_networks src 172.16.10.0/24
#http_access allow our_networks
http_access allow Safe_ports
Here is the first line that matches. Everyone is allowed through (as
long as they are trying to access a Safe_port). Is this just here while
you test?
# Each src file has a list of internal IP's, and each dst file
#has a list of domains they can visit.
acl operators-src src "/etc/squid/T_operators"
acl operators-dst dst "/etc/squid/T_operators-http"
Hard to diagnose a problem without knowing what the contents of these
files are...
acl managers-src src "/etc/squid/T_managers"
acl managers-dst dst "/etc/squid/T_managers-http"
acl servers-src src "/etc/squid/T_servers"
acl servers-dst dst "/etc/squid/T_servers-http"
acl finance-src src "/etc/squid/T_finance"
acl finance-dst dst "/etc/squid/T_finance-http"
acl admins-src src "/etc/squid/T_admins"
acl admins-dst dst all
Perhaps the "all" keyword works as you expect it to, but it seems to me
that it would be better to define it as an explicit destination IP
(0.0.0.0/0).
acl clients src 0.0.0.0/0.0.0.0
acl client-http dst 172.16.10.3
http_access allow managers-src managers-dst
http_access allow operators-src operators-dst
http_access allow admins-src admins-dst
http_access allow servers-src servers-dst
http_access allow finance-src finance-dst
http_access allow clients client-http
http_access deny all
http_reply_access deny all
Whoa. You probably don't want to do this. http_reply_access controls
what responses to your client's queries are allowed. Here you are
rejecting all responses...
icp_access allow all
visible_hostname gw0.example.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/squid/cache
Chris
