paul cooper wrote:
4 users , 1 machine, with squid running and a GUI Im having problems getting the time-based ACLs sorted. To test it ive added a sat/sun ACL which should allow access between 08:00 and 10:00
Your time ACL appears to be working. It's your usage of http_access thats screwing things up. Check the lines saying "request ALLOWED because it matched".
Config 1 hepworth emma # cat /etc/squid/squid.conf |grep ^acl acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl weekends time SA 08:00-10:00 acl beforeschool time MTWHF 07:30-09:00 acl afterschool time MTWHF 16:00-20:00 hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma weekends
- fails on first test sequence - allow request on second sequence
http_access allow Safe_ports
- allow request on first sequence - never reached on second
http_access allow andrew
- never reached
http_access deny localhost
- never reached
http_access deny all
- never reached.
it asks me for a login (emma) and then gives access
<snip>
2008/03/23 16:05:44| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'emma'
... bounce for login. <snip>
2008/03/23 16:05:50| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'Safe_ports'
... bingo!
so i negate the time , and it still gives me access hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma !weekends http_access allow Safe_ports http_access allow andrew http_access deny localhost http_access deny all hepworth emma #
<snip>
2008/03/23 16:10:41| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'emma'
... bounce for login again. <snip>
2008/03/23 16:10:47| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'weekends'
... boing! <snip>
so i try denying emma and it gives me access without asking for a username hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow Safe_ports
- accepts all port 80 requests.
http_access allow andrew
- never reached
http_access deny localhost
- never reached
http_access deny emma
- never reached
http_access deny all
- never reached
hepworth emma #
<snip>
2008/03/23 16:14:32| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'Safe_ports'
.. bingo! on the first line. <snip>
I think its giving me access from localhost. Ive commented out all the default localhost configs and added http_acess deny localhost but its not stopping it How do i configure this ?
Drop the global access to Safe_ports. And I do mean GLOBAL. You have an open-proxy on your hands.
It's best to use: http_access deny !Safe_ports to only use Safe_ports for blocking unsafe port usage. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
