mån 2003-04-07 klockan 11.38 skrev Kristian Du:
> Hi,
>
> I am a bit confused on how to define composite access rules.
> I have 3 different network subnets,
>
> acl net1 src 192.168.10.0/24
> acl net2 src 192.168.30.0/24
> acl net3 src 192.168.50.0/24
>
> and an acl for authenticated users,
>
> acl user_auth proxy_auth REQUIRED
>
> I would like to say that only authenticated users from the above subnets
> are allowed to access the proxy. Is the following correct?
>
> http_access allow user_auth net1
> http_access allow user_auth net2
> http_access allow user_auth net3
> http_access allow user_auth net4
> http_access allow user_auth net5
Yes, but I would make a larger acl listing all of the networks
instead... using individual acls is only needed if you want to provide
different access to different networks.
acl local_networks src 192.168.10.0/24 192.168.30.0/24 192.168.50.0/24
or alternatively
acl local_networks src "/path/to/file/listing/local/networks.txt"
http_access allow user_auth local_networks
Note: for security reasons I would recommend listing the acls in the
other order to make sure authentication is only requested if the user is
in an allowed network...
http_access allow local_networks user_auth
> From what I have gathered, every http_access rule can be looked at as
> ending with an "OR" statement. Hmmm... cryptic! ;)
http_access allow/deny acl1 AND acl2 AND acl3 AND acl4...
OR
http_access allow/deny acl5 AND acl6 AND acl7 ....
OR
...
With AND/OR in their strict boolean logic meaning, not the ambiguous
English meaning... and stopping on the first http_access line that
matches the request.
Regards
Henrik
-- Free Squid-users support provided by Henrik Nordström <hno@squid-cache.org> Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.comReceived on Mon Apr 07 2003 - 06:15:50 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:44 MST