Re: [squid-users] acl question

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 09 Apr 2008 00:29:05 +1200

Paul Houselander (SME) wrote:
> Hi
>
> Ive been using IP's in acl's to restrict access to squid, a redirector
> (squidguard) and a parent proxy (virus scanning proxy)
>
> This has been working fine and part of my squid.conf is below
>
> # Everything ACL - goes via parent and squidguard
> acl everything src "/etc/squid/acl/everything"
> http_access allow everything
> never_direct allow everything
> redirector_access allow everything
>
> # nothing ACL stops parent and redirector
> acl nothing src "/etc/squid/acl/nothing"
> http_access allow nothing
> always_direct allow nothing
> redirector_access deny nothing
>
> # noparent ACL always direct stops it from forwarding to parent
> acl novirus src "/etc/squid/acl/novirus"
> http_access allow novirus
> always_direct allow novirus
>
> # nofilter ACL uses redirector access to stop requests going to the
> redirector (squidguard)
> acl nofilter src "/etc/squid/acl/nofilter"
> http_access allow nofilter
> redirector_access deny nofilter
>
> http_access allow localhost
> http_access deny all
>
> This is fine for static IP's and does exactly what I want, i.e. put an IP in
> /etc/squid/acl/everything and it gets filtered and forwarded to the parent,
> put an address in /etc/squid/acl/nothing and it goes direct and bypasses the
> redirector/squidguard.
>
> I wanted to allow roaming users to use my squid so ive tried adding
> authentication using the below. Aim was if I knew there IP it would be in
> one of the acl files so no username/password prompt, if there IP was not in
> the acl files it would pop up a username password - again I wanted control
> based on username whether they should go via the parent/redirector or not
>
> # testing authentication
> acl nothing_auth proxy_auth "/etc/squid/acl/nothing_auth"
> http_access allow nothing_auth
> always_direct allow nothing_auth
> redirector_access deny nothing_auth
>
> acl everything_auth proxy_auth "/etc/squid/acl/everything_auth"
> http_access allow everything_auth
> never_direct allow everything_auth
> redirector_access allow everything_auth
>
> Which seemed to work but I noticed an IP I had in
> "/etc/squid/acl/everything" which was going via the parent and redirector
> started going direct? If I comment out all my proxy_auth lines and restart
> squid all works again. Can you mix proxy_auth and IP based ACL's like this?
> Other relevant bits of my squid.conf below
>
> url_rewrite_program /usr/bin/squidguard
> url_rewrite_children 10
>
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid.users
> auth_param basic children 5
> auth_param basic realm web filter
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
>

To answer your question: There should be no problem mixing several types
of ACL. It's just a matter of sequence.

However since I can't tell from your examples the exact order of ACL and
*_access permissions in your squid.conf I can't offer any help as to
what the problem is.

Amos

-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Tue Apr 08 2008 - 06:28:47 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT