On Sun, 14 Mar 2010 08:30:53 -0700 (PDT), Landy Landy <landysaccount@xxxxxxxxx> wrote: > Hello. > > I'm trying to block a all my users to use the internet except for a few of > them. I'm trying to do this with acl but, is not working. Here's part of > the squid.conf: > > # Port Squid listens on > http_port 172.16.0.1:3128 transparent > > # Access-lists (ACLs) will permit or deny hosts to access the proxy > acl lan-access src 172.16.0.0/16 > acl proxy src 172.16.0.1 > acl localhost src 127.0.0.1 > > acl CONNECT method CONNECT > > acl allowed src "/etc/ipaddress/ipAllowed" > > # Access rule > http_access allow proxy Does it work when you remove the above line? I've only seen that type of allow needed was when iptables rules got broken by NAT happening on a remote box, changing all client addresses to be identical to the proxy one. The agents on the proxy box can be configured to use localhost safely. > http_access allow localhost > > #---- Block some sites > > acl blockanalysis01 dstdomain .scorecardresearch.com > .google-analytics.com > acl blockads01 dstdomain .rad.msn.com ads1.msn.com ads2.msn.com > ads3.msn.com ads4.msn.com > acl blockads02 dstdomain .adserver.yahoo.com > pagead2.googlesyndication.com ad.yieldmanager.com > acl blockads03 dstdomain .doubleclick.net > http_access deny blockanalysis01 > http_access deny blockads01 > http_access deny blockads02 > http_access deny blockads03 > NP: You can combine those ads lists to the one ACL name if you want an easier config. > ####################################### > > http_access allow allowed > #http_access allow lan-access Just to be clear and see exactly what is happening this would be good to add right here in the rules: http_access deny all > > > --------- > in ipAllowed there are 4 ip addresses: > > 172.16.250.1 > 172.16.250.12 > 172.16.254.13 > > Everyone is allowed to the internet. > > What am I doing wrong? Mostly looks good, all I can see is that NAT possibility. Your Squid rules should be working as you wanted. Amos
