espoire20 wrote:
Chris Robertson-2 wrote:
espoire20 wrote:
Matt Harrison-3 wrote:
espoire20 wrote:
have a small problem with squid in access list, I need to block an IP
address
of a machine does not connect to internet even if it has the address of
the
proxy and port in the Internet option is that it is possible ?
because I have some person who installs firefox mozzila he put the
address
of the proxy and the port it connects or it connects with a user of
another
person
i use this but not working :
acl user1 src 10.60.6.7
httpd_access deny user1
Try it with
http_access deny user1
HTH
Matt
excuse me i mean http not httpd but not working
I will explain you, I blocked internet for everyone ,if anyone wants
internet I add the proxy address and port in the explorer but I need
blocked
IP address not to access the internet even if it adds proxy ip and port
in
the explorer
what we can do ???
Share the rest of your config (preferably without comments and blank
lines), or read the FAQ on ACLs
(http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely
allowing the traffic somewhere before the deny statement.
many thanks
Chris
this is my all acl that i have in my squid file :
# TAG: acl
acl ntlm proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl test src 10.60.6.7
# TAG: http_access
Which does the following *** IN THIS ORDER ***:
http_access allow ntlm
If person is logged in. They can do anything. absolutely anything.
If not logged in ... one of the following happens...
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Prevents people who have not logged in from doing unsafe stuff...
If not doing dangerous stuff one of the following happens...
http_access allow localnet
Allows anyone from the local network who has not logged in to do anything.
...
http_access allow localhost
Allows the local machine
...
http_access deny all
Denies all other access. The End.
http_access deny test
Never matches. "deny all" already caught last remaining requests which
were not logged in, came from local network, localhost, or doing
dangerous stuff.
To fix your problem:
move "deny test" to somewhere above the first "allow" line.
Also you need to:
* consider moving "allow ntlm" down below the security settings to
just above "allow localnet".
* consider whether the people on localnet ranges are truly allowed to
do anything anyway *** when login fails ***.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.9
