Re: [squid-users] can not access sites due to acl when using ntlm auth

From: <Jim_Brouse/PYT@dont-contact.us>
Date: Tue, 24 Aug 2004 10:28:54 -0700

Part of my problem was kiosk was defined as url_regex it should have been
src.

This was the specifics on KIOSK

acl KIOSK url_regex "/etc/squid/acl/kiosk.src"
acl KIOSK.dstdomain dstdomain "/etc/squid/acl/kiosk.dstdomain.acl"
http_access allow KIOSK.dstdomain
http_access allow KIOSK

Now they are:

acl KIOSK src "/etc/squid/acl/kiosk.src"
acl KIOSK.dstdomain dstdomain "/etc/squid/acl/kiosk.dstdomain.acl"
http_access allow KIOSK KIOSK.dstdomain

And it works as before, I can not believe it was working before thanks
everyone for the help.

Here are my http_access statements before cleanup:

> egrep -v '^$|^#' /etc/squid/squid.conf |grep http_access
> http_access allow manager localhost
> http_access deny manager
> http_access allow KIOSK.dstdomain
> http_access allow KIOSK
> http_access deny KIOSK
> http_access allow AIRMAIL
> http_access allow PAGING
> http_access deny PAGING
> http_access deny BLOCK.NOT.YAHOO
> http_access allow YAHOOMESSENGER
> http_access deny YAHOOMESSENGER
> http_access deny BLOCK.NOT.AOL
> http_access allow AOL
> http_access deny AOL
> http_access deny lab.src lab.dstdomain
> http_access allow lab.src
> http_access deny lab.src
> http_access allow LOG-ONLY-HOSTS
> http_access deny NO.NONBLOCK NONBLOCK
> http_access allow NONBLOCK
> http_access allow NONPORN
> http_access deny BLOCK
> http_access deny MIMEBLOCK
> http_access deny RESTRICTED-BROWSER
> http_access deny RESTRICTED-DOM
> http_access allow manager ADMIN-HOSTS
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny all

Here are my http_access after cleanup, Thanks Everyone.

 egrep -v '^$|^#' /etc/squid.conf |grep http_access -i
http_access allow manager localhost
http_access deny manager
http_access allow KIOSK KIOSK.dstdomain
http_access allow PAGING AIRMAIL
http_access deny BLOCK.NOT.YAHOO YAHOOMESSENGER
http_access allow YAHOOMESSENGER
http_access deny AOL BLOCK.NOT.AOL
http_access allow AOL
http_access deny lab.dstdomain lab.src
http_access allow guad.lab.src
http_access allow LOG-ONLY-HOSTS
http_access deny NO.NONBLOCK NONBLOCK
http_access allow NONBLOCK
http_access allow NONPORN
http_access deny BLOCK
http_access deny MIMEBLOCK
http_access deny RESTRICTED-BROWSER
http_access deny RESTRICTED-DOM
http_access allow PERMITTED-HOSTS
http_access allow manager ADMIN-HOSTS
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny all

Jim

                                                                                                                                              
                    Henrik
                    Nordstrom To: Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG
                    <hno@squid-cac cc: squid-users@squid-cache.org
                    he.org> Subject: Re: [squid-users] can not access sites due to acl when using ntlm auth
                                                                                                                                              
                    08/19/2004
                    03:00 PM
                                                                                                                                              
                                                                                                                                              

On Thu, 19 Aug 2004 Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG wrote:

> KIOSK is an acl that list what ip can use that acl and KIOSK.dstdomain
> list what sites KIOSK can get to and it seems to work good. I did remove
> http_access deny KIOSK but when I tried to combine the two statements
that
> I think I need,

Then you should use

http_access allow KIOSK KIOSK.dstdomain
http_access deny KIOSK

> That did not work the users in KIOSK can no longer access sites listed at
> KIOSK.dstdomain which is the goal.

Then something is wrong with either of these two acls.

http_access allow A
http_access allow B

is very different from

http_access allow A B

The first allows access if either of the criterias is fulfilled. The
second allows access only if both criterias is fulfilled. And this is one
of many things of Squid access controls is what we try to explain in the
Squid FAQ chapter 10 introduction.

But the source of your authentication problem is most likely my last
comment. Somewhere you need to allow the request before it is denied, and
denying some stuff just before you deny all access does not make much
sense does it?

Regards
Henrik
Received on Tue Aug 24 2004 - 11:29:00 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT