espoire20 wrote: > > > > espoire20 wrote: >> >> >> >> Amos Jeffries-2 wrote: >>> >>> espoire20 wrote: >>>> >>>> >>>> Amos Jeffries-2 wrote: >>>>> espoire20 wrote: >>>>>> >>>>>> Chris Robertson-2 wrote: >>>>>>> espoire20 wrote: >>>>>>>> Matt Harrison-3 wrote: >>>>>>>> >>>>>>>>> espoire20 wrote: >>>>>>>>> >>>>>>>>>> have a small problem with squid in access list, I need to block >>>>>>>>>> an IP >>>>>>>>>> address >>>>>>>>>> of a machine does not connect to internet even if it has the >>>>>>>>>> address >>>>>>>>>> of >>>>>>>>>> the >>>>>>>>>> proxy and port in the Internet option is that it is possible ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> because I have some person who installs firefox mozzila he put >>>>>>>>>> the >>>>>>>>>> address >>>>>>>>>> of the proxy and the port it connects or it connects with a user >>>>>>>>>> of >>>>>>>>>> another >>>>>>>>>> person >>>>>>>>>> >>>>>>>>>> i use this but not working : >>>>>>>>>> >>>>>>>>>> acl user1 src 10.60.6.7 >>>>>>>>>> httpd_access deny user1 >>>>>>>>>> >>>>>>>>> Try it with >>>>>>>>> >>>>>>>>> http_access deny user1 >>>>>>>>> >>>>>>>>> HTH >>>>>>>>> >>>>>>>>> Matt >>>>>>>>> >>>>>>>>> >>>>>>>> excuse me i mean http not httpd but not working >>>>>>>> >>>>>>>> I will explain you, I blocked internet for everyone ,if anyone >>>>>>>> wants >>>>>>>> internet I add the proxy address and port in the explorer but I >>>>>>>> need >>>>>>>> blocked >>>>>>>> IP address not to access the internet even if it adds proxy ip and >>>>>>>> port >>>>>>>> in >>>>>>>> the explorer >>>>>>>> >>>>>>>> what we can do ??? >>>>>>>> >>>>>>> Share the rest of your config (preferably without comments and blank >>>>>>> lines), or read the FAQ on ACLs >>>>>>> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). You are likely >>>>>>> allowing the traffic somewhere before the deny statement. >>>>>>> >>>>>>>> many thanks >>>>>>>> >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> >>>>>> this is my all acl that i have in my squid file : >>>>>> >>>>>> >>>>>> # TAG: acl >>>>>> acl ntlm proxy_auth REQUIRED >>>>>> >>>>>> >>>>>> acl manager proto cache_object >>>>>> acl localhost src 127.0.0.1/32 >>>>>> acl to_localhost dst 127.0.0.0/8 >>>>>> >>>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >>>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >>>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >>>>>> # >>>>>> acl SSL_ports port 443 >>>>>> acl Safe_ports port 80 # http >>>>>> acl Safe_ports port 21 # ftp >>>>>> acl Safe_ports port 443 # https >>>>>> acl Safe_ports port 70 # gopher >>>>>> acl Safe_ports port 210 # wais >>>>>> acl Safe_ports port 1025-65535 # unregistered ports >>>>>> acl Safe_ports port 280 # http-mgmt >>>>>> acl Safe_ports port 488 # gss-http >>>>>> acl Safe_ports port 591 # filemaker >>>>>> acl Safe_ports port 777 # multiling http >>>>>> acl CONNECT method CONNECT >>>>>> acl test src 10.60.6.7 >>>>>> >>>>>> # TAG: http_access >>>>> Which does the following *** IN THIS ORDER ***: >>>>> >>>>> >>>>>> http_access allow ntlm >>>>> If person is logged in. They can do anything. absolutely anything. >>>>> >>>>> If not logged in ... one of the following happens... >>>>> >>>>>> http_access allow manager localhost >>>>>> http_access deny manager >>>>>> http_access deny !Safe_ports >>>>>> http_access deny CONNECT !SSL_ports >>>>> Prevents people who have not logged in from doing unsafe stuff... >>>>> >>>>> If not doing dangerous stuff one of the following happens... >>>>> >>>>>> http_access allow localnet >>>>> Allows anyone from the local network who has not logged in to do >>>>> anything. >>>>> >>>>> ... >>>>> >>>>>> http_access allow localhost >>>>> Allows the local machine >>>>> >>>>> ... >>>>>> http_access deny all >>>>> Denies all other access. The End. >>>>> >>>>>> http_access deny test >>>>> Never matches. "deny all" already caught last remaining requests which >>>>> were not logged in, came from local network, localhost, or doing >>>>> dangerous stuff. >>>>> >>>>> >>>>> >>>>> To fix your problem: >>>>> move "deny test" to somewhere above the first "allow" line. >>>>> >>>>> >>>>> Also you need to: >>>>> * consider moving "allow ntlm" down below the security settings to >>>>> just above "allow localnet". >>>>> * consider whether the people on localnet ranges are truly allowed >>>>> to >>>>> do anything anyway *** when login fails ***. >>>>> >>>>> >>>>> Amos >>>> >>>> thank you Amos >>>> >>>> i made :http_access deny test after http_access allow ntlm but not >>>> working >>> >>> ^^^^^ >>> >>> I said "before" first allow. You placed it "after" first allow. >>> >>> NTLM auth is silent and usually happens without users doing anything >>> ("single sign-on"). The browser can be expected to authenticate them. >>> >>> >>>> whene they put the addresse proxy of the end of browser they can >>>> connect >>> >>> Sorry, I do not understand the sentence above. ? >>> >>> When they put the address where? >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 >>> Current Beta Squid 3.1.0.9 >>> >>> >> >> Hi >> i mean in the internt options ---> Connections ------->Local Area Network >> they add the adresse of Proxy after they can connect >> >> but now i blocked the ip adresse i placed before" first allow like you >> said i think it s working >> >> can i ask anthor question ? >> >> many thanks for your help >> > > it's possible to bloque user to connecte to internet in squid but this > user is in the active directory because i use the same user for the active > directory in the squid > > you know how can i do ???? > > urgent please please help me i restart my server proxy after not working i try to access to krb5 and resolv.conf i have this message : No protocol specified (gedit :2918) Gtk_Warnning**:cannot open dispay: 0.0 help me please please -- View this message in context: http://www.nabble.com/user-problem-tp24458799p24624287.html Sent from the Squid - Users mailing list archive at Nabble.com.
