Regards Mark Barlow -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: 14 June 2007 13:59 To: Bobby Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: Hole in my thinking - still Bobby wrote: > On Monday 11 June 2007 18:23:58 Henrik Nordstrom wrote: >> mån 2007-06-11 klockan 17:12 -0400 skrev Bobby: >>> Hi, >>> >>> This is not resolving. Rather than debugging my setup please tell me how >>> you would configure it. >>> >>> What I'm looking at is how do I specify different machines to be able to >>> access only certain websites? >>> >>> Let's say, >>> 172.16.10.16-31 are managers who can go anywhere and >>> 172.16.10.96-254 are operators with limited access like only to >>> .google.com and .paypal.com. >> # Allow managers unrestricted access >> acl managers src ... >> http_access allow managers >> >> # Allow operators access to a restricted set of sites >> acl operators src ... >> acl operator_sites dstdomain .google.com .paypal.com >> http_access allow operators operator_sites >> >> # And deny all other access >> http_access deny all > > Those three dots should mean the IP's, right? > Then not having anything after allow managers means "all"? > um, um, no,no,.... .... I think I finally see whats in your head. You are thinking there are implicit defaults involved in each rule right? Lets see if this makes things any clearer for you: http_access allow a => IF a is true -> allow http_access allow b c => IF b is true AND c is true -> allow http_access deny d e => IF d is true -> deny Each acl are done is very similar way to see 'if its true' acl src b => IS message is comming from IP b ? true/false acl dst c => IS message is going to IP c ? true/false etc. etc. Amos #This line acl all sets up you all ACL of any IP address It is included in squid.conf by default. acl all src 0.0.0.0/0.0.0.0 #This line specifys your managers group of IP addresses acl mamagers src 172.16.10.16-31 #This line specifies your operator IP addresses acl operators src 172.16.10.96-254 #This line specifys your allowed sites for operators acl operator-sites dstdomain .google.com .paypal.com #This line lets requests from your managers IP addresses (Specified above) out All other IP address will progress to the next rule http_access allow managers #This line allows out requests from your operator IP addresses (Specified Above) only to the sites listed above If not on the list will progress to next line http_access allow operators operator-sites #this is a very important line which I believe is in squid.conf by default. If none of the other access rules have been met, it denys the request. http_access deny all Mark.
