On Thursday 07 June 2007 20:01:02 Chris Robertson wrote: > Bobby wrote: > > Hi List, > > > > I've been battling with this configuration and at this point I don't > > think I'm seing straight. The idea is to have a few groups with some > > specific access tables for each of them. But somehow, besides for > > manager, it either lets them all through or none, rather than following > > the valid -http access lists. > > > > Please help me see the errors of my way! > > > > > > This is running on openbsd where pf is redirecting traffic from 80 to > > 3128 on the loopback device. > > > > -------------------------------------------------- > > http_port 3128 > > > > hierarchy_stoplist cgi-bin ? > > > > acl QUERY urlpath_regex cgi-bin \? > > no_cache deny QUERY > > auth_param basic children 5 > > auth_param basic realm Squid proxy-caching web server > > auth_param basic credentialsttl 2 hours > > auth_param basic casesensitive off > > > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern . 0 20% 4320 > > > > acl all src 0.0.0.0/0.0.0.0 > > acl manager proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > > acl to_localhost dst 127.0.0.0/8 > > acl SSL_ports port 443 563 > > acl Safe_ports port 5203 > > acl CONNECT method CONNECT > > > > http_access allow manager localhost > > http_access deny manager > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access deny to_localhost > > > > acl our_networks src 172.16.10.0/24 > > #http_access allow our_networks > > > > http_access allow Safe_ports > > Here is the first line that matches. Everyone is allowed through (as > long as they are trying to access a Safe_port). Is this just here while > you test? Yes, there are no Safe_ports defined. > > # Each src file has a list of internal IP's, and each dst file > > #has a list of domains they can visit. > > acl operators-src src "/etc/squid/T_operators" > > acl operators-dst dst "/etc/squid/T_operators-http" > > Hard to diagnose a problem without knowing what the contents of these > files are... Either RFC 1918 network addresses (172.16.10.nn) in -src files, or routable IP's of websites in -dst files. > > acl managers-src src "/etc/squid/T_managers" > > acl managers-dst dst "/etc/squid/T_managers-http" > > acl servers-src src "/etc/squid/T_servers" > > acl servers-dst dst "/etc/squid/T_servers-http" > > acl finance-src src "/etc/squid/T_finance" > > acl finance-dst dst "/etc/squid/T_finance-http" > > acl admins-src src "/etc/squid/T_admins" > > acl admins-dst dst all > > Perhaps the "all" keyword works as you expect it to, but it seems to me > that it would be better to define it as an explicit destination IP > (0.0.0.0/0). OK. > > acl clients src 0.0.0.0/0.0.0.0 > > acl client-http dst 172.16.10.3 > > > > http_access allow managers-src managers-dst > > http_access allow operators-src operators-dst > > http_access allow admins-src admins-dst > > http_access allow servers-src servers-dst > > http_access allow finance-src finance-dst > > http_access allow clients client-http > > > > http_access deny all > > http_reply_access deny all > > Whoa. You probably don't want to do this. http_reply_access controls > what responses to your client's queries are allowed. Here you are > rejecting all responses... Was not sure about it so I tried both. Already fixed it, thanks. Unfortunately I don't have local access so I can only test during certain hours. > > icp_access allow all > > > > visible_hostname gw0.example.com > > > > httpd_accel_host virtual > > httpd_accel_port 80 > > httpd_accel_with_proxy on > > httpd_accel_uses_host_header on > > coredump_dir /var/squid/cache > > Chris In the end do you see any reason why operators can get out but not servers? T_admins = 172.16.10.15 172.16.10.21 172.16.10.25 T_admins-http = 0.0.0.0 T_finance = 172.16.10.146 172.16.10.76 T_finance-http = adobe.com amsouth.com anywho.com arin.net T_managers = 172.16.10.81 172.16.10.34 172.16.10.78 T_managers-http = adobe.com amsouth.com anywho.com arin.net T_operators = 172.16.10.105 172.16.10.107 172.16.10.112 172.16.10.114 172.16.10.115 172.16.10.116 T_operators-http = cordia.com targusinfo.com disney.go.com av-wireless.com T_servers = 172.16.10.81 172.16.10.35 172.16.10.24 172.16.10.12 T_servers-http = microsoft.com av-wireless.com -- Bobby
