Amos Jeffries-2 wrote: > > espoire20 wrote: >> >> >> Chris Robertson-2 wrote: >>> espoire20 wrote: >>>> Matt Harrison-3 wrote: >>>> >>>>> espoire20 wrote: >>>>> >>>>>> have a small problem with squid in access list, I need to block an IP >>>>>> address >>>>>> of a machine does not connect to internet even if it has the address >>>>>> of >>>>>> the >>>>>> proxy and port in the Internet option is that it is possible ? >>>>>> >>>>>> >>>>>> because I have some person who installs firefox mozzila he put the >>>>>> address >>>>>> of the proxy and the port it connects or it connects with a user of >>>>>> another >>>>>> person >>>>>> >>>>>> i use this but not working : >>>>>> >>>>>> acl user1 src 10.60.6.7 >>>>>> httpd_access deny user1 >>>>>> >>>>> Try it with >>>>> >>>>> http_access deny user1 >>>>> >>>>> HTH >>>>> >>>>> Matt >>>>> >>>>> >>>> excuse me i mean http not httpd but not working >>>> >>>> I will explain you, I blocked internet for everyone ,if anyone wants >>>> internet I add the proxy address and port in the explorer but I need >>>> blocked >>>> IP address not to access the internet even if it adds proxy ip and port >>>> in >>>> the explorer >>>> >>>> what we can do ??? >>>> >>> Share the rest of your config (preferably without comments and blank >>> lines), or read the FAQ on ACLs >>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely >>> allowing the traffic somewhere before the deny statement. >>> >>>> many thanks >>>> >>> Chris >>> >>> >>> >> >> this is my all acl that i have in my squid file : >> >> >> # TAG: acl >> acl ntlm proxy_auth REQUIRED >> >> >> acl manager proto cache_object >> acl localhost src 127.0.0.1/32 >> acl to_localhost dst 127.0.0.0/8 >> >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> # >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> acl test src 10.60.6.7 >> >> # TAG: http_access > > Which does the following *** IN THIS ORDER ***: > > >> http_access allow ntlm > > If person is logged in. They can do anything. absolutely anything. > > If not logged in ... one of the following happens... > >> >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports > > Prevents people who have not logged in from doing unsafe stuff... > > If not doing dangerous stuff one of the following happens... > >> http_access allow localnet > > Allows anyone from the local network who has not logged in to do anything. > > ... > >> http_access allow localhost > > Allows the local machine > > ... >> http_access deny all > > Denies all other access. The End. > >> http_access deny test > > Never matches. "deny all" already caught last remaining requests which > were not logged in, came from local network, localhost, or doing > dangerous stuff. > > > > To fix your problem: > move "deny test" to somewhere above the first "allow" line. > > > Also you need to: > * consider moving "allow ntlm" down below the security settings to > just above "allow localnet". > * consider whether the people on localnet ranges are truly allowed to > do anything anyway *** when login fails ***. > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 > Current Beta Squid 3.1.0.9 > > thank you Amos i made :http_access deny test after http_access allow ntlm but not working whene they put the addresse proxy of the end of browser they can connect many thanks -- View this message in context: http://www.nabble.com/user-problem-tp24458799p24514644.html Sent from the Squid - Users mailing list archive at Nabble.com.
