Amos Jeffries-2 wrote: > > espoire20 wrote: >> >> >> Amos Jeffries-2 wrote: >>> espoire20 wrote: >>>> >>>> Chris Robertson-2 wrote: >>>>> espoire20 wrote: >>>>>> Matt Harrison-3 wrote: >>>>>> >>>>>>> espoire20 wrote: >>>>>>> >>>>>>>> have a small problem with squid in access list, I need to block an >>>>>>>> IP >>>>>>>> address >>>>>>>> of a machine does not connect to internet even if it has the >>>>>>>> address >>>>>>>> of >>>>>>>> the >>>>>>>> proxy and port in the Internet option is that it is possible ? >>>>>>>> >>>>>>>> >>>>>>>> because I have some person who installs firefox mozzila he put the >>>>>>>> address >>>>>>>> of the proxy and the port it connects or it connects with a user of >>>>>>>> another >>>>>>>> person >>>>>>>> >>>>>>>> i use this but not working : >>>>>>>> >>>>>>>> acl user1 src 10.60.6.7 >>>>>>>> httpd_access deny user1 >>>>>>>> >>>>>>> Try it with >>>>>>> >>>>>>> http_access deny user1 >>>>>>> >>>>>>> HTH >>>>>>> >>>>>>> Matt >>>>>>> >>>>>>> >>>>>> excuse me i mean http not httpd but not working >>>>>> >>>>>> I will explain you, I blocked internet for everyone ,if anyone wants >>>>>> internet I add the proxy address and port in the explorer but I need >>>>>> blocked >>>>>> IP address not to access the internet even if it adds proxy ip and >>>>>> port >>>>>> in >>>>>> the explorer >>>>>> >>>>>> what we can do ??? >>>>>> >>>>> Share the rest of your config (preferably without comments and blank >>>>> lines), or read the FAQ on ACLs >>>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely >>>>> allowing the traffic somewhere before the deny statement. >>>>> >>>>>> many thanks >>>>>> >>>>> Chris >>>>> >>>>> >>>>> >>>> this is my all acl that i have in my squid file : >>>> >>>> >>>> # TAG: acl >>>> acl ntlm proxy_auth REQUIRED >>>> >>>> >>>> acl manager proto cache_object >>>> acl localhost src 127.0.0.1/32 >>>> acl to_localhost dst 127.0.0.0/8 >>>> >>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>>> # >>>> acl SSL_ports port 443 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 # https >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 777 # multiling http >>>> acl CONNECT method CONNECT >>>> acl test src 10.60.6.7 >>>> >>>> # TAG: http_access >>> Which does the following *** IN THIS ORDER ***: >>> >>> >>>> http_access allow ntlm >>> If person is logged in. They can do anything. absolutely anything. >>> >>> If not logged in ... one of the following happens... >>> >>>> http_access allow manager localhost >>>> http_access deny manager >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>> Prevents people who have not logged in from doing unsafe stuff... >>> >>> If not doing dangerous stuff one of the following happens... >>> >>>> http_access allow localnet >>> Allows anyone from the local network who has not logged in to do >>> anything. >>> >>> ... >>> >>>> http_access allow localhost >>> Allows the local machine >>> >>> ... >>>> http_access deny all >>> Denies all other access. The End. >>> >>>> http_access deny test >>> Never matches. "deny all" already caught last remaining requests which >>> were not logged in, came from local network, localhost, or doing >>> dangerous stuff. >>> >>> >>> >>> To fix your problem: >>> move "deny test" to somewhere above the first "allow" line. >>> >>> >>> Also you need to: >>> * consider moving "allow ntlm" down below the security settings to >>> just above "allow localnet". >>> * consider whether the people on localnet ranges are truly allowed to >>> do anything anyway *** when login fails ***. >>> >>> >>> Amos >> >> thank you Amos >> >> i made :http_access deny test after http_access allow ntlm but not >> working > > ^^^^^ > > I said "before" first allow. You placed it "after" first allow. > > NTLM auth is silent and usually happens without users doing anything > ("single sign-on"). The browser can be expected to authenticate them. > > >> whene they put the addresse proxy of the end of browser they can connect > > Sorry, I do not understand the sentence above. ? > > When they put the address where? > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 > Current Beta Squid 3.1.0.9 > > Hi i mean in the internt options ---> Connections ------->Local Area Network they add the adresse of Proxy after they can connect but now i blocked the ip adresse i placed before" first allow like you said i think it s working can i ask anthor question ? many thanks for your help -- View this message in context: http://www.nabble.com/user-problem-tp24458799p24565961.html Sent from the Squid - Users mailing list archive at Nabble.com.
