Re: [squid-users] can not access sites due to acl when using ntlm auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 24 Aug 2004 23:09:00 +0200 (CEST)

On Tue, 24 Aug 2004 Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG wrote:

>
> egrep -v '^$|^#' /etc/squid.conf |grep http_access -i
> http_access allow manager localhost
> http_access deny manager
> http_access allow KIOSK KIOSK.dstdomain

Shouldn't there be a

http_access deny KIOSK

here?

if not the KIOSK is allowed to access YAHOOMESSENGER, AOL, NONPORN and
maybe more.. (not all your acl names is obvious)

> http_access allow PAGING AIRMAIL
> http_access deny BLOCK.NOT.YAHOO YAHOOMESSENGER
> http_access allow YAHOOMESSENGER
> http_access deny AOL BLOCK.NOT.AOL
> http_access allow AOL
> http_access deny lab.dstdomain lab.src
> http_access allow guad.lab.src
> http_access allow LOG-ONLY-HOSTS
> http_access deny NO.NONBLOCK NONBLOCK
> http_access allow NONBLOCK
> http_access allow NONPORN
> http_access deny BLOCK
> http_access deny MIMEBLOCK
> http_access deny RESTRICTED-BROWSER
> http_access deny RESTRICTED-DOM
> http_access allow PERMITTED-HOSTS

You are aware that each allow you have above not combined with a src type
acl allows everyone in the whole world access to those sites?

> http_access allow manager ADMIN-HOSTS
> http_access deny manager

These two lines can never be reached. The first should be moved up to the
top, the second deleted.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

These two should be before your very first allow rule.

> http_access deny to_localhost

Having this at the end makes no sense. Should be before where you allow
access as you can not deny what you have already allowed or the reverse.

> http_access deny all

Regards
Henrik
Received on Tue Aug 24 2004 - 15:09:06 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT