> From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > Date: Fri, 09 Oct 2009 18:38:07 +1300 > Cc: <squid-users@xxxxxxxxxxxxxxx> > Subject: Re: New Admin > > Ross Kovelman wrote: >> 1) Thanks! >> >> 2)Here is my ACL and http access lines: >> acl bad_url dstdomain "/xxx/Squid/etc/bad-sites.squid" >> acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl our_networks src 192.168.16.0/255.255.255.0 >> acl to_localhost dst 127.0.0.0/8 >> acl workdays time MTWHF 8:30-12:00 >> acl workdays time MTWHF 13:30-18:00 >> acl SSL_ports port 443 563 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 563 # https, snews >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> >> # Restrict cachemgr access >> http_access allow manager localhost >> http_access deny manager >> # Block access to banned URLs >> http_access deny bad_url workdays >> # Allow users access on workdays >> http_access allow our_networks workdays > > The above will not permit network access outside the specific times you > specified in "workdays". > > Meaning network access is denied 12pm to 1.30pm and 6pm to 8am. > >> #http_access allow out_networks >> # Deny everything else >> http_access deny all >> # >> # >> #Recommended minimum configuration: > > Thee following lines are recommended since they ensure safe usage of the > dangerous features Squid provides. They really should be at teh top of > the config. > As it stands any of the workers can open a CONNECT tunnel and give > themselves unlimited access to the Internet. > >> # >> # Only allow cachemgr access from localhost >> http_access allow manager localhost >> http_access deny manager >> http_access deny bad_url >> # Deny requests to unknown ports >> http_access deny !Safe_ports >> # Deny CONNECT to other than SSL ports >> http_access deny CONNECT !SSL_ports >> >> 4) All I know is going through the squid as a proxy server disables the >> login prompt. If I just access it with out proxy then I get an >> authentication box. > > Sounds like something doing NTLM/Negotiate challenge authentication. > This is generally broken going through proxies. > > You will need to look deeper into what is going on. The access.log and > cache.log should have more detail. > >> >> 5) Again can you explain this to me for me to get pages blocked to work: >>>>> Yes. Create an ACL for normal login. Adding it to the end of the line >>>>> For example: >>>>> ... login setup >>>>> acl loginACL proxy_auth REQUIRED >>>>> http_access deny our_networks bad_url workdays !loginACL >> >> 6) Will look into WCCP and BSD...thanks >> > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 > Current Beta Squid 3.1.0.14 1) You say that config will not work, which I understand, but then how can I get it to work so that the times you listed 12pm to 1.30pm and 6pm to 8am will allow all traffic. All other times inbetween is locked down? 2) I tried to move the http_access rules up top but when starting squid I get errors as it does not know what manager is etc. 3)This is the access log: 1255094675.752 21 192.168.16.93 TCP_MISS/401 1938 GET http://xxxx.xxxxx.com/xxxx/WestRegion/default.aspx - DIRECT/255.232.133.202 text/html Cache log shows this: 2009/10/09 09:26:54| DNS Socket created at 0.0.0.0, port 49200, FD 10 2009/10/09 09:26:54| Adding nameserver 71.250.0.12 from squid.conf 2009/10/09 09:26:54| Adding nameserver 68.237.161.12 from squid.conf 2009/10/09 09:26:54| helperOpenServers: Starting 1 'squid_redirect' processes 2009/10/09 09:26:55| Accepting HTTP connections at 0.0.0.0, port 3128, FD 12. 2009/10/09 09:26:55| Accepting ICP messages at 0.0.0.0, port 3130, FD 15. 2009/10/09 09:26:55| WCCP Disabled. 2009/10/09 09:26:55| Loaded Icons. 2009/10/09 09:26:55| eventCleanup 2009/10/09 09:26:55| Ready to serve requests. Very limited in what it is telling me, or is this the line: TCP_MISS/401 Thanks
<<attachment: smime.p7s>>
