RE: [squid-users] How to configure squid for denying users to dodownload process for specified time range?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 22 May 2003 13:21:04 +0200

tor 2003-05-22 klockan 11.34 skrev Winanjaya:

> http_access allow it_user1
> http_access allow it_user2
> http_access allow nodownload1
> http_access allow nodownload2
>
> http_access deny GET office_hours nodownload1 nodownload2
> http_access deny all

There is two errors here:

a) You have already allowed access in the lines above.. the order of you
http_access rules is important. The first matching http_access line
tells if the request is allowed or denied.

b) nodownload1 and nodownload2 is conflicting. A single request cannot
come both from src 192.168.1.10 and src 192.168.1.11.

What you should do is to

1. Move the http_access deny line up before your allow lines.

2. Merge your nodownload* acls into one single nodownload acl including
all the ip addresses. You should probably also do the same with the
it_user* acls..

Which gives a configuration looking something like this:

 acl download urlpath_regex -i \.exe$
 acl office_hours time 09:00-17:00
 acl GET method GET

 acl it_user src 192.168.1.88 192.168.1.89

 acl nodownload src 192.168.1.10 192.168.1.11

 http_access deny nodownload GET office_hour
 http_access allow nodownload

 http_access allow it_user

 http_access deny all.

Note: You may split the acl definitions on multiple lines if you prefer.

 acl nodownload src 192.168.1.10
 acl nodownload src 192.168.1.11

Or have the IP addresses in a separate file (one address per line)

 acl nodownload src "/path/to/nodownload.txt"

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Thu May 22 2003 - 05:22:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:52 MST