On Fri, 20 Aug 2004, Merton Campbell Crockett wrote:
The assumptions were stated in an ellided paragraph that the proxy was restricted to KIOSK users and that they were restricted to destinations specified in KIOSK.dstdomain.
If there are other users of the proxy and they are permitted to access any destination, the following supports the condition. The last rule is for clarity and to show that all conditions have been enumerated.
http_access allow !KIOSK http_access deny !KIOSK.dstdomain http_access allow KIOSK
In my experience this is more confusing than what you gain.
If your goal is to allow KIOSK access to certain domains then use the combination
http_access allow KIOSK KIOSK.dstdomain http_access deny KIOSK
If this does not work then at least one of the acls is wrongly defined and you won't see the desired ressult no matter how you rearrange the http_access rules.
The first rule in your example (allow !KIOSK) is very dangerous as this allows everyone else in the whole world access. Such rules should not be used unless you have been very strict earlier up on what IP addresses may access the proxy.
As a general rule of thumb only use full negations in http_access deny rules, such as
http_access deny !our_networks
or partial negations in combination with something else which makes sense
http_access allow ournetworks !restricted_sites
possibly followed by something like
http_access allow our_networks privileged_users
Negations are very poverful, but should be used carefully.
Regards Henrik
