Ross Kovelman wrote:
1) Thanks!
2)Here is my ACL and http access lines:
acl bad_url dstdomain "/xxx/Squid/etc/bad-sites.squid"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl our_networks src 192.168.16.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl workdays time MTWHF 8:30-12:00
acl workdays time MTWHF 13:30-18:00
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Restrict cachemgr access
http_access allow manager localhost
http_access deny manager
# Block access to banned URLs
http_access deny bad_url workdays
# Allow users access on workdays
http_access allow our_networks workdays
The above will not permit network access outside the specific times you
specified in "workdays".
Meaning network access is denied 12pm to 1.30pm and 6pm to 8am.
#http_access allow out_networks
# Deny everything else
http_access deny all
#
#
#Recommended minimum configuration:
Thee following lines are recommended since they ensure safe usage of the
dangerous features Squid provides. They really should be at teh top of
the config.
As it stands any of the workers can open a CONNECT tunnel and give
themselves unlimited access to the Internet.
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access deny bad_url
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
4) All I know is going through the squid as a proxy server disables the
login prompt. If I just access it with out proxy then I get an
authentication box.
Sounds like something doing NTLM/Negotiate challenge authentication.
This is generally broken going through proxies.
You will need to look deeper into what is going on. The access.log and
cache.log should have more detail.
5) Again can you explain this to me for me to get pages blocked to work:
Yes. Create an ACL for normal login. Adding it to the end of the line
For example:
... login setup
acl loginACL proxy_auth REQUIRED
http_access deny our_networks bad_url workdays !loginACL
6) Will look into WCCP and BSD...thanks
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.14
