Re: [squid-users] can not access sites due to acl when using ntlm auth

Thu, 19 Aug 2004 13:28:46 -0700 

>> http_access allow KIOSK.dstdomain
>> http_access allow KIOSK

>>>Is this really what you want?

>>>Allow everyone access to KOISK.dstdomain

>>>Allow KIOSK access to everything.

>> http_access deny KIOSK

>>>This is redundant due to the above.




 KIOSK is an acl that list what ip can use that acl and KIOSK.dstdomain
list what sites KIOSK can get to and it seems to work good.  I did remove
http_access deny KIOSK but when I tried to combine the two statements that
I think I need,


>> http_access allow KIOSK.dstdomain
>> http_access allow KIOSK

into

> http_access allow KIOSK KIOSK.dstdomain

That did not work the users in KIOSK can no longer access sites listed at
KIOSK.dstdomain which is the goal.




Jim



                                                                                       
                                                       
                    Henrik                                                             
                                                       
                    Nordstrom            To:     Jim_Brouse/[EMAIL PROTECTED]          
                                                
                    <[EMAIL PROTECTED]       cc:     Henrik Nordstrom <[EMAIL 
PROTECTED]>, [EMAIL PROTECTED]                          
                    he.org>              Subject:     Re: [squid-users] can not access 
sites due to acl when using ntlm auth                  
                                                                                       
                                                       
                    08/19/2004                                                         
                                                       
                    12:36 AM                                                           
                                                       
                                                                                       
                                                       
                                                                                       
                                                       






On Wed, 18 Aug 2004 Jim_Brouse/[EMAIL PROTECTED] wrote:

>> http_access allow manager localhost
>> http_access deny manager

Ok

>> http_access allow KIOSK.dstdomain
>> http_access allow KIOSK

Is this really what you want?

Allow everyone access to KOISK.dstdomain

Allow KIOSK access to everything.

>> http_access deny KIOSK

This is redundant due to the above.

>> http_access allow MYAIRMAIL

>> http_access allow PAGING

>> http_access deny PAGING

This is redundand. You can not deny what you have already allowed.

>> http_access deny BLOCK.NOT.YAHOO
>> http_access allow YAHOOMESSENGER
>> http_access deny YAHOOMESSENGER

This i redundant.

>> http_access deny BLOCK.NOT.AOL
>> http_access allow AOL
>> http_access deny  AOL

This is redundant.

>> http_access deny lab.src  lab.dstdomain
>> http_access allow lab.src
>> http_access deny lab.src

This is redundant.

>> http_access allow LOG-ONLY-HOSTS
>> http_access deny NO.NONBLOCK  NONBLOCK
>> http_access allow NONBLOCK
>> http_access allow NONPORN
>> http_access deny BLOCK
>> http_access deny MIMEBLOCK
>> http_access deny RESTRICTED-BROWSER
>> http_access deny RESTRICTED-DOM

>> http_access allow manager ADMIN-HOSTS
>> http_access deny manager

This is redundant due to the first two rules already taking care of all
manager access.

>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny to_localhost

These should be much higher, before your own first accept rule.

Somewhere before this last deny of everything else it looks like there is
some allow statements missing, allowing access after you have filtered out
all the things you do not want to see..

>> http_access deny all

Regards
Henrik

Reply via email to