On Wed, Sep 9, 2009 at 12:56 PM, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > ons 2009-09-09 klockan 12:02 +0530 skrev Avinash Rao: > >> http_access allow staffgroup >> http_access allow student staffgroup > > The above is wrong. > > The first directive allows everyone in staffgroup without restriction, > which means the second can not be reached. Squid uses the first > http_access line matching the request to determine if the request is > allowed or denied, any http_access rules following that is ignored. > >> I am wondering if its really checking the NT group? I also tried using >> the squid_unix_group option, but the result was the same. > > It most likely is, assuming you have no "proxy_auth REQUIRED" acl used > in parts of squid.conf not shown here. > >> http_access deny extndeny >> http_access deny purge >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> >> >> #http_access allow friends WORKING >> #http_access deny friends >> http_access deny abc >> http_access deny videos >> >> http_access deny !AuthUsers > > Ok. > >> http_access allow staffgroup >> http_access allow student staffgroup > > See above for why this is wrong. I guess the first of the two should > go.. > > >> http_access allow manager localhost >> http_access deny manager >> http_access allow purge localhost > > There is a "deny purge" rule missing here. > > And the whole block should be before your custom rules (i.e. first rules > in http_access). > >> #http_access allow special_urls >> #http_access deny extndeny download >> http_access deny badurl >> #http_access deny malware_block_list >> #deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list > > This deny need to go before where you allow access to be effective. But > maybe it is.. Not entirely obvious to me who should get denied and who > not. > >> http_access allow localhost >> http_access allow lan >> http_access deny all > > Ok. > > Regards > Henrik > > > Henrik, I understood what you said, I removed the conflicting entry, http_access allow staffgroup and yes my config has: acl AuthUsers proxy_auth REQUIRED http_access deny !AuthUsers But the result was the same. The time restriction is not working. Regards, Avinash