Ross Kovelman wrote:
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
Date: Fri, 09 Oct 2009 18:38:07 +1300
Cc: <squid-users@xxxxxxxxxxxxxxx>
Subject: Re: New Admin
Ross Kovelman wrote:
1) Thanks!
2)Here is my ACL and http access lines:
acl bad_url dstdomain "/xxx/Squid/etc/bad-sites.squid"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl our_networks src 192.168.16.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl workdays time MTWHF 8:30-12:00
acl workdays time MTWHF 13:30-18:00
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Restrict cachemgr access
http_access allow manager localhost
http_access deny manager
# Block access to banned URLs
http_access deny bad_url workdays
# Allow users access on workdays
http_access allow our_networks workdays
The above will not permit network access outside the specific times you
specified in "workdays".
Meaning network access is denied 12pm to 1.30pm and 6pm to 8am.
#http_access allow out_networks
# Deny everything else
http_access deny all
#
#
#Recommended minimum configuration:
Thee following lines are recommended since they ensure safe usage of the
dangerous features Squid provides. They really should be at teh top of
the config.
As it stands any of the workers can open a CONNECT tunnel and give
themselves unlimited access to the Internet.
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access deny bad_url
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
4) All I know is going through the squid as a proxy server disables the
login prompt. If I just access it with out proxy then I get an
authentication box.
Sounds like something doing NTLM/Negotiate challenge authentication.
This is generally broken going through proxies.
You will need to look deeper into what is going on. The access.log and
cache.log should have more detail.
5) Again can you explain this to me for me to get pages blocked to work:
Yes. Create an ACL for normal login. Adding it to the end of the line
For example:
... login setup
acl loginACL proxy_auth REQUIRED
http_access deny our_networks bad_url workdays !loginACL
6) Will look into WCCP and BSD...thanks
Amos
1) You say that config will not work, which I understand, but then how can I
get it to work so that the times you listed 12pm to 1.30pm and 6pm to 8am
will allow all traffic. All other times inbetween is locked down?
You asked earlier about how to allow access ONLY during those times.
Henrik gave you the answer which was to add "http_access allow
our_networks workdays" and you are still using the rule.
Now you are asking why it does exactly what you asked for.
Please read
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes and when
you understand how to use ACL you should be able to resolve the issue
yourself.
2) I tried to move the http_access rules up top but when starting squid I
get errors as it does not know what manager is etc.
I meant at the top of the http_access section of config sorry.
The http_access still need to be below the acl definitions.
3)This is the access log:
1255094675.752 21 192.168.16.93 TCP_MISS/401 1938 GET
http://xxxx.xxxxx.com/xxxx/WestRegion/default.aspx - DIRECT/255.232.133.202
text/html
Cache log shows this:
2009/10/09 09:26:54| DNS Socket created at 0.0.0.0, port 49200, FD 10
2009/10/09 09:26:54| Adding nameserver 71.250.0.12 from squid.conf
2009/10/09 09:26:54| Adding nameserver 68.237.161.12 from squid.conf
2009/10/09 09:26:54| helperOpenServers: Starting 1 'squid_redirect'
processes
2009/10/09 09:26:55| Accepting HTTP connections at 0.0.0.0, port 3128, FD
12.
2009/10/09 09:26:55| Accepting ICP messages at 0.0.0.0, port 3130, FD 15.
2009/10/09 09:26:55| WCCP Disabled.
2009/10/09 09:26:55| Loaded Icons.
2009/10/09 09:26:55| eventCleanup
2009/10/09 09:26:55| Ready to serve requests.
Very limited in what it is telling me, or is this the line:
TCP_MISS/401
Thanks
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.14