Thanks a lot for the reply Amos.
I tried the following:acl station-domain dstdomain /usr/local/squid/station-domain.acl
http_access allow station-ip station-domain
http_access deny kiosk-ip
This order of rules only denies everything instead of allowing atleast domains in station-domain.acl
My requirement is that everyone in that subnet should be able to access domains in station-domain.acl only. Sites outside the list have to be blocked for them.
On Tue, Sep 1, 2015 at 10:17 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 2/09/2015 1:28 a.m., jake driscoll wrote:
> here is my requirement:
>
>> i have a subnet
>> only a small list of sites need to be allowed access to this subnet
>> this subnet should not get access to any other site except the ones in the
> list
>> access for other users will remain the same
>
> I tried the following
>
> acl station-ip src 192.168.1.0/24
> acl station-domain dstdomain www.google.com www.bbc.com
> http_access deny station-ip !station-domain
That is correct for "subnet should not get access to any other site
except the ones in the list".
But you had more requirements in your description ...
... "sites need to be allowed access to this subnet"
Meaning you need an allow line somewhere that does that allowing.
Such a line might exist in your config already in another form.
At worst adding this line directly underneath the ones above will cause
that policy requirement to happen as well:
http_access allow station-ip
... "access for other users will remain the same"
Without seeing your full squid.conf http_access rules and all associated
ACL definitions we can't help with that "the same" part. Except to say:
Order is IMPORTANT.
Where you place a http_access line in the sequence with *all* other
http_access rules matters a LOT about whether it is even tested, whether
it will match at that time, and what will happen.
I *guess* you need to place these four new lines near the top of your
list of http_access list right under the default configs "CONNECT
!SSL_ports" line.
>
> and also this -
> http_access deny station-ip
> http_access allow station-ip station-domain
>
Good example of what I mean about order affecting matching.
100% of all traffic from station-ip will match that "deny" line.
The "allow" line will only be reached by non-'station-ip' traffic. It
will thus _never_ match, and does nothing.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users