> > http_access deny manager > > http_access allow ncsa_users > > So all logged in users have unlimited access? > > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access deny to_localhost > > http_access deny maxuser > > These deny rules are placed below the allow rule letting ALL logged in > users through. > This means that for all machines on the Internet which can supply one > of your users insecure plain-text logins: > * the safe_ports rule preventing viral and P2P abuse relaying through > Squid has no effect > * the CONNECT rule preventing blind binary tunneling of data to any > protocol port through Squid has no effect. > * you maxuser policy has no effect. So, I should apply the deny rules above the allow ncsa_users line? eg http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny maxuser http_access deny manager http_access allow ncsa_users > > > http_access allow localhost > > http_access deny all > > icp_access allow all > > http_port 8080 > > http_port xx.xx.xx.xx:80 > > And what are you expecting to arrive over port 80? > That port is reserved for reverse-proxy and origin server traffic. > I have squid listening on port 80 and 8080 because some clients cannot connect on port 8080 > > visible_hostname MyNameProxyServer > > Funny domain name. I hope that is obfuscated for the post not in the > config. > This is the domain name used in URLs your clients get told to use for > Squid error and FTP page icons. If it does not resolve back to this or > another Squid your clients will be facing page load problems on those > generated responses. I thought this was just the name presented to the users when they logged on. If it is meant to be a domain name should it be: visible_hostname www.mynameproxyserver.com ? Thanks