Re: user problem

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

espoire20 wrote:
> Amos Jeffries-2 wrote:
> > espoire20 wrote:
> > > Amos Jeffries-2 wrote:
> > > > espoire20 wrote:
> > > > > Chris Robertson-2 wrote:
> > > > > > espoire20 wrote:
> > > > > > > Matt Harrison-3 wrote:
> > > > > > >   
> > > > > > > > espoire20 wrote:
> > > > > > > >     
> > > > > > > > > have a small problem with squid in access list, I need to block an
> > > > > > > > > IP
> > > > > > > > > address
> > > > > > > > > of a machine does not connect to internet even if it has the
> > > > > > > > > address
> > > > > > > > > of
> > > > > > > > > the
> > > > > > > > > proxy and port in the Internet option is that it is possible ? 
> > > > > > > > >  
> > > > > > > > >  
> > > > > > > > > because I have some person who installs firefox mozzila he put the
> > > > > > > > > address
> > > > > > > > > of the proxy and the port it connects or it connects with a user of
> > > > > > > > > another
> > > > > > > > > person 
> > > > > > > > >  
> > > > > > > > > i use this but not working : 
> > > > > > > > >  
> > > > > > > > > acl user1 src 10.60.6.7 
> > > > > > > > > httpd_access deny user1 
> > > > > > > > >       
> > > > > > > > Try it with
> > > > > > > >
> > > > > > > > http_access deny user1
> > > > > > > >
> > > > > > > > HTH
> > > > > > > >
> > > > > > > > Matt
> > > > > > > >
> > > > > > > >     
> > > > > > > excuse me i mean http not httpd but not working
> > > > > > > 	
> > > > > > > I will explain you, I blocked internet for everyone ,if anyone wants
> > > > > > > internet I add the proxy address and port in the explorer but I need
> > > > > > > blocked
> > > > > > > IP address not to access the internet even if it adds proxy ip and
> > > > > > > port
> > > > > > > in
> > > > > > > the explorer
> > > > > > >
> > > > > > > what we can do ??? 
> > > > > > >   
> > > > > > Share the rest of your config (preferably without comments and blank 
> > > > > > lines), or read the FAQ on ACLs 
> > > > > > (http://wiki.squid-cache.org/SquidFaq/SquidAcl).  You are likely 
> > > > > > allowing the traffic somewhere before the deny statement.
> > > > > >
> > > > > > > many thanks 
> > > > > > >   
> > > > > > Chris
> > > > > this is my all acl that i have in my squid file :
> > > > >
> > > > >
> > > > > #  TAG: acl
> > > > > acl ntlm proxy_auth REQUIRED
> > > > >
> > > > >
> > > > > acl manager proto cache_object
> > > > > acl localhost src 127.0.0.1/32
> > > > > acl to_localhost dst 127.0.0.0/8
> > > > >
> > > > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> > > > > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> > > > > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> > > > > #
> > > > > acl SSL_ports port 443
> > > > > acl Safe_ports port 80 # http
> > > > > acl Safe_ports port 21 # ftp
> > > > > acl Safe_ports port 443 # https
> > > > > acl Safe_ports port 70 # gopher
> > > > > acl Safe_ports port 210 # wais
> > > > > acl Safe_ports port 1025-65535 # unregistered ports
> > > > > acl Safe_ports port 280 # http-mgmt
> > > > > acl Safe_ports port 488 # gss-http
> > > > > acl Safe_ports port 591 # filemaker
> > > > > acl Safe_ports port 777 # multiling http
> > > > > acl CONNECT method CONNECT
> > > > > acl test src 10.60.6.7
> > > > >
> > > > > #  TAG: http_access
> > > > Which does the following *** IN THIS ORDER ***:
> > > >
> > > >
> > > > > http_access allow ntlm
> > > > If person is logged in. They can do anything. absolutely anything.
> > > >
> > > > If not logged in ... one of the following happens...
> > > >
> > > > > http_access allow manager localhost
> > > > > http_access deny manager
> > > > > http_access deny !Safe_ports
> > > > > http_access deny CONNECT !SSL_ports
> > > > Prevents people who have not logged in from doing unsafe stuff...
> > > >
> > > > If not doing dangerous stuff one of the following happens...
> > > >
> > > > > http_access allow localnet
> > > > Allows anyone from the local network who has not logged in to do
> > > > anything.
> > > >
> > > > ...
> > > >
> > > > > http_access allow localhost
> > > > Allows the local machine
> > > >
> > > > ...
> > > > > http_access deny all
> > > > Denies all other access. The End.
> > > >
> > > > > http_access deny test
> > > > Never matches. "deny all" already caught last remaining requests which 
> > > > were not logged in, came from local network, localhost, or doing 
> > > > dangerous stuff.
> > > >
> > > >
> > > >
> > > > To fix your problem:
> > > >    move "deny test" to somewhere above the first "allow" line.
> > > >
> > > >
> > > > Also you need to:
> > > >    * consider moving "allow ntlm" down below the security settings to 
> > > > just above "allow localnet".
> > > >   * consider whether the people on localnet ranges are truly allowed to 
> > > > do anything anyway *** when login fails ***.
> > > >
> > > >
> > > > Amos
> > > thank you Amos
> > >
> > > i made :http_access deny test after http_access allow ntlm but not
> > > working
> >                                  ^^^^^
> >
> > I said "before" first allow.  You placed it "after" first allow.
> >
> > NTLM auth is silent and usually happens without users doing anything 
> > ("single sign-on"). The browser can be expected to authenticate them.
> >
> >
> > > whene they put the addresse proxy of the end of browser they can connect 
> > Sorry, I do not understand the sentence above. ?
> >
> > When they put the address where?
> >
> > Amos
> > --
> > Please be using
> >    Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
> >    Current Beta Squid 3.1.0.9
>
> Hi
> i mean in the internt options ---> Connections ------->Local Area Network 
> they add the adresse of Proxy after they can connect 
>
> but now i blocked the ip adresse i placed before" first allow like you said
> i think it s working 
>
> can i ask anthor question ?

Always, and as always you may or may not get an answer. ;)


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
  Current Beta Squid 3.1.0.10 or 3.1.0.11