Search squid archive

Re: user problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



espoire20 wrote:


Chris Robertson-2 wrote:
espoire20 wrote:
Matt Harrison-3 wrote:
espoire20 wrote:
have a small problem with squid in access list, I need to block an IP
address
of a machine does not connect to internet even if it has the address of
the
proxy and port in the Internet option is that it is possible ? because I have some person who installs firefox mozzila he put the
address
of the proxy and the port it connects or it connects with a user of
another
person i use this but not working : acl user1 src 10.60.6.7 httpd_access deny user1
Try it with

http_access deny user1

HTH

Matt

excuse me i mean http not httpd but not working
	
I will explain you, I blocked internet for everyone ,if anyone wants
internet I add the proxy address and port in the explorer but I need
blocked
IP address not to access the internet even if it adds proxy ip and port
in
the explorer

what we can do ???
Share the rest of your config (preferably without comments and blank lines), or read the FAQ on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely allowing the traffic somewhere before the deny statement.

many thanks
Chris




this is my all acl that i have in my squid file :


#  TAG: acl
acl ntlm proxy_auth REQUIRED


acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl test src 10.60.6.7

#  TAG: http_access

Which does the following *** IN THIS ORDER ***:


http_access allow ntlm

If person is logged in. They can do anything. absolutely anything.

If not logged in ... one of the following happens...


http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Prevents people who have not logged in from doing unsafe stuff...

If not doing dangerous stuff one of the following happens...

http_access allow localnet

Allows anyone from the local network who has not logged in to do anything.

...

http_access allow localhost

Allows the local machine

...
http_access deny all

Denies all other access. The End.

http_access deny test

Never matches. "deny all" already caught last remaining requests which were not logged in, came from local network, localhost, or doing dangerous stuff.



To fix your problem:
  move "deny test" to somewhere above the first "allow" line.


Also you need to:
* consider moving "allow ntlm" down below the security settings to just above "allow localnet". * consider whether the people on localnet ranges are truly allowed to do anything anyway *** when login fails ***.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.9

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux