Chris,
All that i know is that everything runs in order. So if it finds a allow
first it will allow and stop looking there. If it finds a deny first
then it will stop at that. This is the way my firewall works so i think
that this is how squid is working. Maybe someone else can correct me if
i'm wrong.
On Thu, 2002-11-07 at 09:50, Chris Tatro wrote:
> I did what you suggested and it works now! Thanks for all
> the help you have been great, I don’t understand why
> moving that line would make it work. Do you?
>
>
> On 07 Nov 2002 09:19:27 -0600
> Edward Mann <edward@arctechnology.com> wrote:
> >Chris,
> >I would try and move http_access allow manager localhost
> >above
> >http_access deny blocked_urls. I just did this on my
> >setup and it
> >worked. give it a try. I have moved them below so you can
> >see what i
> >did.
> >
> >
> >On Thu, 2002-11-07 at 08:34, Chris Tatro wrote:
> >> Here is a cleaned up version of my squid.conf
> >>
> >> You can see exactly why I am not allowed to view the
> >>cache
> >> manager because it is denied from my restricted users
> >> rule. I there a way for me to get around not having to
> >> authenticate for the cache manager? If I remove the
> >>rules
> >> below from my squid.conf:
> >>
> >> http_access allow restricted_users
> >> restricted_users_websites http_ports my_network
> >> http_access allow unrestricted_users all http_ports
> >> my_network
> >>
> >> I am then allowed to go into the cache manager. So it is
> >> something about these rules that is causing the problem.
> >>
> >>
> >> I have turned the “debug_options ALL,1 28,9” on in
> >> squid.conf to debug my ACLs and I get the following in
> >>the
> >> cache.log when I try to access the Cache manager:
> >>
> >>
> >> 2002/11/07 05:15:51| The request GET
> >> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> >> is ALLOWED, because it matched 'my_network'
> >>
> >> 2002/11/07 05:15:52| The reply for GET
> >> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> >> is ALLOWED, because it matched 'all'
> >>
> >> 2002/11/07 05:16:56| The request GET
> >> cache_object://localhost/ is DENIED, because it matched
> >> 'restricted_users'
> >>
> >> 2002/11/07 05:16:56| The reply for GET
> >> cache_object://localhost/ is ALLOWED, because it matched
> >> 'all'
> >>
> >> So the problem is definetly a ACL prbelm but I for the
> >> life of me can’t figure it out. Thank you so much for
> >>your
> >> help so far it has helped me pin point the problem
> >>further
> >> but only if I could fix it now . Do you have any
> >> further ideas?
> >>
> >> Below i have pasted my entire squid.conf and i have also
> >> attached the file for your convince.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> http_port 8080
> >> icp_port 0
> >> hierarchy_stoplist cgi-bin ?
> >>
> >> acl QUERY urlpath_regex cgi-bin \?
> >> acl squidserver dst 172.16.1.226/255.255.255.255
> >> no_cache deny QUERY squidserver
> >>
> >> maximum_object_size 50 MB
> >>
> >> cache_dir ufs /var/spool/squid 5000 16 256
> >>
> >> debug_options ALL,1 33,2
> >>
> >> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> >> auth_param ntlm children 5
> >> auth_param ntlm max_challenge_reuses 0
> >> auth_param ntlm max_challenge_lifetime 2 minutes
> >>
> >> auth_param basic program /usr/lib/squid/wb_auth
> >> auth_param basic children 5
> >> auth_param basic realm Squid proxy-caching web server
> >> auth_param basic credentialsttl 2 hours
> >>
> >>
> >>
> >> refresh_pattern ^ftp: 1440 20% 10080
> >> refresh_pattern ^gopher: 1440 0% 1440
> >> refresh_pattern . 0 20% 4320
> >>
> >> positive_dns_ttl 2 day
> >>
> >> acl all src 0.0.0.0/0.0.0.0
> >> acl manager proto cache_object
> >> acl localhost src 127.0.0.1/255.255.255.255
> >> acl http_ports port 80 443 563 10000
> >>
> >>
> >> acl CONNECT method CONNECT
> >> acl proxy_server dst 172.16.1.226/255.255.255.255
> >> acl restricted_users_websites dstdomain
> >> "/etc/squid/restricted_users_websites.txt"
> >> acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
> >>
> >> acl unrestricted_users proxy_auth
> >> "/etc/squid/unrestricted_users.txt"
> >> acl restricted_users proxy_auth
> >> "/etc/squid/restricted_users.txt"
> >>
> >> acl downloads rep_mime_type
> >> "/etc/squid/mime_type_blocked_download.txt"
> >> acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
> >> acl available_download_websites dstdomain
> >> "/etc/squid/available_download_websites.txt"
> >
> >http_access allow manager localhost
> >> http_access deny blocked_urls
> >>
> >> http_access allow restricted_users
> >> restricted_users_websites http_ports my_network
> >> http_access allow unrestricted_users all http_ports
> >> my_network
> >> http_access allow proxy_server http_ports my_network
> >>
> >>
> >
> >> miss_access allow all
> >>
> >> http_access allow localhost
> >> http_access deny all
> >>
> >>
> >> http_reply_access allow available_download_websites
> >> http_reply_access deny downloads
> >> http_reply_access allow all
> >>
> >> icp_access allow all
> >> cache_mgr
> >> JacobsA@WausauHomes.com;WizaB@WausauHomes.com;TatroC@WausauHomes.com
> >> visible_hostname SQUID
> >> memory_pools off
> >> coredump_dir /var/spool/squid
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Edward Mann [mailto:edward@arctechnology.com]
> >> Sent: Wednesday, November 06, 2002 5:53 PM
> >> To: Chris Tatro
> >> Cc: squid-users@squid-cache.org
> >> Subject: Re: [squid-users] proxy_auth help
> >>
> >>
> >> Chris,
> >>
> >> wb_group you don't need, that was just something out of
> >>my
> >> setup.
> >>
> >> Can you send me your entire config file. I have
> >>re-ordered
> >> things to work the way that i have mine setup.
> >>
> >> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> >> auth_param ntlm children 5
> >> auth_param ntlm max_challenge_reuses 0
> >> auth_param ntlm max_challenge_lifetime 2 minutes
> >>
> >> auth_param basic program /usr/lib/squid/wb_auth
> >> auth_param basic children 5
> >> auth_param basic realm Squid proxy-caching web server
> >> auth_param basic credentialsttl 2 hours
> >>
> >> acl all src 0.0.0.0/0.0.0.0
> >> acl manager proto cache_object
> >> acl localhost src 127.0.0.1/255.255.255.255
> >> acl http_ports port 1-65000
> >>
> >> #acl CONNECT method CONNECT
> >> acl proxy_server dst 172.16.1.226/255.255.255.255
> >> acl restricted_users_websites dstdomain
> >> "/etc/squid/restricted_users_websites.txt"
> >> acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
> >>
> >> external_acl_type NT_auth %LOGIN /usr/lib/squid/wb_auth
> >> acl FullAccess external NT_auth all
> >>
> >> acl unrestricted_users proxy_auth
> >> "/etc/squid/unrestricted_users.txt"
> >> acl restricted_users proxy_auth
> >> "/etc/squid/restricted_users.txt"
> >>
> >> acl downloads rep_mime_type
> >> "/etc/squid/mime_type_blocked_download.txt"
> >> acl blocked_urls url_regex "/etc/squid/blocked_urls.txt"
> >> acl available_download_websites dstdomain
> >> "/etc/squid/available_download_websites.txt"
> >>
> >> http_access deny blocked_urls
> >> http_access allow restricted_users
> >> restricted_users_websites http_ports my_network
> >> http_access allow unrestricted_users all http_ports
> >> my_network http_access allow proxy_server http_ports
> >> my_network http_access allow FullAccess
> >>
> >> http_access allow manager localhost
> >> http_access allow manager FullAccess
> >>
> >>
> >> Okay this is all i can think of right now. I am in the
> >> middle of re-ip addressing our network, so my brain is a
> >> little scattered. Talk to you later.
> >>
> >>
> >>
> >> On Wed, 2002-11-06 at 13:43, Chris Tatro wrote:
> >> > Below I have pasted my acls, http_access and
> >>auth_param lines. I tried
> >> > what you suggested Edward but I am still not having
> >>any luck. Do I
> >> > need to type some kind of password and user name in to
> >>get at the
> >> > Cache Manger through Webmin? Before I turned
> >>proxy_auth on I never had
> >> > to type in a password and user name to get at the
> >>Cache
> >> > manager I simply changed the port and number to 8080.
> >>I
> >> > know it has to be something simple I am doing wrong
> >>but I
> >> > for the life of me can˘t figure it out.
> >> > Also Edward I do not have a wb_group module I have a
> >> > wb_auth module I am running samba 2.2.6. Am I suppose
> >>to
> >> > have a wb_group module?
> >> >
> >> > Thanks for the help so far it is very appreciated.
> >> >
> >> >
> >> >
> >> > acl all src 0.0.0.0/0.0.0.0
> >> > acl manager proto cache_object
> >> > acl localhost src 127.0.0.1/255.255.255.255
> >> > acl http_ports port 1-65000
> >> >
> >> > acl CONNECT method CONNECT
> >> > acl proxy_server dst 172.16.1.226/255.255.255.255
> >> > acl restricted_users_websites dstdomain
> >> > "/etc/squid/restricted_users_websites.txt"
> >> > acl my_network src 172.16.0.0-172.25.0.0/255.255.0.0
> >> >
> >> > external_acl_type NT_auth %LOGIN
> >>/usr/lib/squid/wb_auth
> >> > acl FullAccess external NT_auth all
> >> >
> >> > acl unrestricted_users proxy_auth
> >>"/etc/squid/unrestricted_users.txt"
> >> > acl restricted_users proxy_auth
> >> > "/etc/squid/restricted_users.txt"
> >> >
> >> > acl downloads rep_mime_type
> >> > "/etc/squid/mime_type_blocked_download.txt"
> >> > acl blocked_urls url_regex
> >>"/etc/squid/blocked_urls.txt"
> >> > acl available_download_websites dstdomain
> >> > "/etc/squid/available_download_websites.txt"
> >> >
> >> >
> >> >
> >> >
> >> > http_access deny blocked_urls
> >> > http_access allow restricted_users
> >> > restricted_users_websites http_ports my_network
> >> > http_access allow unrestricted_users all http_ports
> >>my_network
> >> > http_access allow proxy_server http_ports my_network
> >> > http_access allow FullAccess
> >> >
> >> > http_access allow manager localhost
> >> > http_access allow manager FullAccess
> >> >
> >> > auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> >> > auth_param ntlm children 5
> >> > auth_param ntlm max_challenge_reuses 0
> >> > auth_param ntlm max_challenge_lifetime 2 minutes
> >> >
> >> > auth_param basic program /usr/lib/squid/wb_auth
> >> > auth_param basic children 5
> >> > auth_param basic realm Squid proxy-caching web server
> >>auth_param basic
> >> > credentialsttl 2 hours
> >> >
> >> >
> >> >
> >> >
> >> > On 06 Nov 2002 08:58:38 -0600
> >> > Edward Mann <edward@arctechnology.com> wrote:
> >> > >ACL run in order. Using the ip address, something
> >>like
> >> > >this should do
> >> > >the trick.
> >> > >
> >> > >acl nopasswd src 10.251.0.38/255.255.0.0
> >>10.251.0.39/255.255.0.0
> >> > >
> >> > >external_acl_type NT_global_group %LOGIN
> >>/usr/lib/squid/wb_group
> >> > >acl FullAccess external NT_global_group internet
> >> > >
> >> > >
> >> > >http_access allow nopasswd
> >> > >http_access allow FullAccess
> >> > >
> >> > >
> >> > >See if that works.
> >> > >
> >> > >On Wed, 2002-11-06 at 05:48, Chris Tatro wrote:
> >> > >> I have all the users authenticating through the NT
> >> > >>domain
> >> > >> controller via winbind from samba. How do I write a
> >>ACL with
> >> > >>proxy_auth to allow 2 computer to get through
> >>without
> >> > >> authenticating?
> >> > >> Is this possible?
> >> > >>
> >> > >> Thanks
> >> > >>
> >> > >> >PS I found this post which says what I need to do
> >>to
> >> > >>get my cachemgr.cgi working.
> >> > >>
> >> > >>
> >> > >> >You need to allow the host where cachemgr.cgi runs
> >> > >>access without
> >> > >> >proxy_auth.
> >> > >>
> >> > >> >I have a small patch to cachemgr.cgi to allow it
> >>to be
> >> > >>used in
> >> > >> >proxy_auth environments.
> >> > >>
> >> > >> ---
> >> > >> >Henrik Nordstrom
> >> > >> >Spare time Squid hacker
> >> > >>
> >> > >> >Alex Pikus wrote:
> >> > >
> >> >
> >> > <TEXTAREA NAME="Signature" ROWS="4"
> >>COLS="60"><TEXTAREA
> >> > NAME="Signature" ROWS="4" COLS="60">
> >>
> >> ---
> >> Incoming mail is certified Virus Free.
> >> Checked by AVG anti-virus system
> >>(http://www.grisoft.com).
> >> Version: 6.0.408 / Virus Database: 230 - Release Date:
> >> 10/24/2002
> >> failure
> >> ---
> >> Outgoing mail is certified Virus Free.
> >> Checked by AVG anti-virus system
> >>(http://www.grisoft.com).
> >> Version: 6.0.408 / Virus Database: 230 - Release Date:
> >> 10/24/2002
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> You can see exactly why I am not allowed to view the
> >>cache
> >> manager because it is denied from my restricted users
> >> rule. I there a way for me to get around not having to
> >> authenticate for the cache manager? If I remove the
> >>rules
> >> below from my squid.conf:
> >>
> >> http_access allow restricted_users
> >> restricted_users_websites http_ports my_network
> >> http_access allow unrestricted_users all http_ports
> >> my_network
> >>
> >> I am then allowed to go into the cache manager. So it is
> >> something about these rules that is causing the problem.
> >>
> >>
> >> I have turned the “debug_options ALL,1 28,9” on in
> >> squid.conf to debug my ACLs and I get the following in
> >>the
> >> cache.log when I try to access the Cache manager:
> >>
> >>
> >> 2002/11/07 05:15:51| The request GET
> >> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> >> is ALLOWED, because it matched 'my_network'
> >>
> >> 2002/11/07 05:15:52| The reply for GET
> >> http://172.16.1.226:10000/syslog/save_log.cgi?idx=10&view=1
> >> is ALLOWED, because it matched 'all'
> >>
> >> 2002/11/07 05:16:56| The request GET
> >> cache_object://localhost/ is DENIED, because it matched
> >> 'restricted_users'
> >>
> >> 2002/11/07 05:16:56| The reply for GET
> >> cache_object://localhost/ is ALLOWED, because it matched
> >> 'all'
> >>
> >> So the problem is definetly a ACL prbelm but I for the
> >> life of me can’t figure it out. Thank you so much for
> >>your
> >> help so far it has helped me pin point the problem
> >>further
> >> but only if I could fix it now . Do you have any
> >> further ideas?
> >>
> >>
> >>
> >>
> >>
> >
>
> <TEXTAREA NAME="Signature" ROWS="4" COLS="60"><TEXTAREA
> NAME="Signature" ROWS="4" COLS="60">
Received on Thu Nov 07 2002 - 08:55:10 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:13 MST