espoire20 wrote: > > > > Amos Jeffries-2 wrote: >> >> espoire20 wrote: >>> >>> >>> Amos Jeffries-2 wrote: >>>> espoire20 wrote: >>>>> >>>>> Chris Robertson-2 wrote: >>>>>> espoire20 wrote: >>>>>>> Matt Harrison-3 wrote: >>>>>>> >>>>>>>> espoire20 wrote: >>>>>>>> >>>>>>>>> have a small problem with squid in access list, I need to block an >>>>>>>>> IP >>>>>>>>> address >>>>>>>>> of a machine does not connect to internet even if it has the >>>>>>>>> address >>>>>>>>> of >>>>>>>>> the >>>>>>>>> proxy and port in the Internet option is that it is possible ? >>>>>>>>> >>>>>>>>> >>>>>>>>> because I have some person who installs firefox mozzila he put the >>>>>>>>> address >>>>>>>>> of the proxy and the port it connects or it connects with a user >>>>>>>>> of >>>>>>>>> another >>>>>>>>> person >>>>>>>>> >>>>>>>>> i use this but not working : >>>>>>>>> >>>>>>>>> acl user1 src 10.60.6.7 >>>>>>>>> httpd_access deny user1 >>>>>>>>> >>>>>>>> Try it with >>>>>>>> >>>>>>>> http_access deny user1 >>>>>>>> >>>>>>>> HTH >>>>>>>> >>>>>>>> Matt >>>>>>>> >>>>>>>> >>>>>>> excuse me i mean http not httpd but not working >>>>>>> >>>>>>> I will explain you, I blocked internet for everyone ,if anyone wants >>>>>>> internet I add the proxy address and port in the explorer but I need >>>>>>> blocked >>>>>>> IP address not to access the internet even if it adds proxy ip and >>>>>>> port >>>>>>> in >>>>>>> the explorer >>>>>>> >>>>>>> what we can do ??? >>>>>>> >>>>>> Share the rest of your config (preferably without comments and blank >>>>>> lines), or read the FAQ on ACLs >>>>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely >>>>>> allowing the traffic somewhere before the deny statement. >>>>>> >>>>>>> many thanks >>>>>>> >>>>>> Chris >>>>>> >>>>>> >>>>>> >>>>> this is my all acl that i have in my squid file : >>>>> >>>>> >>>>> # TAG: acl >>>>> acl ntlm proxy_auth REQUIRED >>>>> >>>>> >>>>> acl manager proto cache_object >>>>> acl localhost src 127.0.0.1/32 >>>>> acl to_localhost dst 127.0.0.0/8 >>>>> >>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>>>> # >>>>> acl SSL_ports port 443 >>>>> acl Safe_ports port 80 # http >>>>> acl Safe_ports port 21 # ftp >>>>> acl Safe_ports port 443 # https >>>>> acl Safe_ports port 70 # gopher >>>>> acl Safe_ports port 210 # wais >>>>> acl Safe_ports port 1025-65535 # unregistered ports >>>>> acl Safe_ports port 280 # http-mgmt >>>>> acl Safe_ports port 488 # gss-http >>>>> acl Safe_ports port 591 # filemaker >>>>> acl Safe_ports port 777 # multiling http >>>>> acl CONNECT method CONNECT >>>>> acl test src 10.60.6.7 >>>>> >>>>> # TAG: http_access >>>> Which does the following *** IN THIS ORDER ***: >>>> >>>> >>>>> http_access allow ntlm >>>> If person is logged in. They can do anything. absolutely anything. >>>> >>>> If not logged in ... one of the following happens... >>>> >>>>> http_access allow manager localhost >>>>> http_access deny manager >>>>> http_access deny !Safe_ports >>>>> http_access deny CONNECT !SSL_ports >>>> Prevents people who have not logged in from doing unsafe stuff... >>>> >>>> If not doing dangerous stuff one of the following happens... >>>> >>>>> http_access allow localnet >>>> Allows anyone from the local network who has not logged in to do >>>> anything. >>>> >>>> ... >>>> >>>>> http_access allow localhost >>>> Allows the local machine >>>> >>>> ... >>>>> http_access deny all >>>> Denies all other access. The End. >>>> >>>>> http_access deny test >>>> Never matches. "deny all" already caught last remaining requests which >>>> were not logged in, came from local network, localhost, or doing >>>> dangerous stuff. >>>> >>>> >>>> >>>> To fix your problem: >>>> move "deny test" to somewhere above the first "allow" line. >>>> >>>> >>>> Also you need to: >>>> * consider moving "allow ntlm" down below the security settings to >>>> just above "allow localnet". >>>> * consider whether the people on localnet ranges are truly allowed to >>>> do anything anyway *** when login fails ***. >>>> >>>> >>>> Amos >>> >>> thank you Amos >>> >>> i made :http_access deny test after http_access allow ntlm but not >>> working >> >> ^^^^^ >> >> I said "before" first allow. You placed it "after" first allow. >> >> NTLM auth is silent and usually happens without users doing anything >> ("single sign-on"). The browser can be expected to authenticate them. >> >> >>> whene they put the addresse proxy of the end of browser they can connect >> >> Sorry, I do not understand the sentence above. ? >> >> When they put the address where? >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 >> Current Beta Squid 3.1.0.9 >> >> > > Hi > i mean in the internt options ---> Connections ------->Local Area Network > they add the adresse of Proxy after they can connect > > but now i blocked the ip adresse i placed before" first allow like you > said i think it s working > > can i ask anthor question ? > > many thanks for your help > it's possible to bloque user to connecte to internet in squid but this user is in the active directory because i use the same user for the active directory in the squid you know how can i do ???? -- View this message in context: http://www.nabble.com/user-problem-tp24458799p24569237.html Sent from the Squid - Users mailing list archive at Nabble.com.
