Paul Houselander (SME) wrote:
Hi
Ive been using IP's in acl's to restrict access to squid, a redirector
(squidguard) and a parent proxy (virus scanning proxy)
This has been working fine and part of my squid.conf is below
# Everything ACL - goes via parent and squidguard
acl everything src "/etc/squid/acl/everything"
http_access allow everything
never_direct allow everything
redirector_access allow everything
# nothing ACL stops parent and redirector
acl nothing src "/etc/squid/acl/nothing"
http_access allow nothing
always_direct allow nothing
redirector_access deny nothing
# noparent ACL always direct stops it from forwarding to parent
acl novirus src "/etc/squid/acl/novirus"
http_access allow novirus
always_direct allow novirus
# nofilter ACL uses redirector access to stop requests going to the
redirector (squidguard)
acl nofilter src "/etc/squid/acl/nofilter"
http_access allow nofilter
redirector_access deny nofilter
http_access allow localhost
http_access deny all
This is fine for static IP's and does exactly what I want, i.e. put an IP in
/etc/squid/acl/everything and it gets filtered and forwarded to the parent,
put an address in /etc/squid/acl/nothing and it goes direct and bypasses the
redirector/squidguard.
I wanted to allow roaming users to use my squid so ive tried adding
authentication using the below. Aim was if I knew there IP it would be in
one of the acl files so no username/password prompt, if there IP was not in
the acl files it would pop up a username password - again I wanted control
based on username whether they should go via the parent/redirector or not
# testing authentication
acl nothing_auth proxy_auth "/etc/squid/acl/nothing_auth"
http_access allow nothing_auth
always_direct allow nothing_auth
redirector_access deny nothing_auth
acl everything_auth proxy_auth "/etc/squid/acl/everything_auth"
http_access allow everything_auth
never_direct allow everything_auth
redirector_access allow everything_auth
Which seemed to work but I noticed an IP I had in
"/etc/squid/acl/everything" which was going via the parent and redirector
started going direct? If I comment out all my proxy_auth lines and restart
squid all works again. Can you mix proxy_auth and IP based ACL's like this?
Other relevant bits of my squid.conf below
url_rewrite_program /usr/bin/squidguard
url_rewrite_children 10
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid.users
auth_param basic children 5
auth_param basic realm web filter
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
To answer your question: There should be no problem mixing several types
of ACL. It's just a matter of sequence.
However since I can't tell from your examples the exact order of ACL and
*_access permissions in your squid.conf I can't offer any help as to
what the problem is.
Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
