Ross Kovelman wrote:
> 1) Thanks!
>
> 2)Here is my ACL and http access lines:
> acl bad_url dstdomain "/xxx/Squid/etc/bad-sites.squid"
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl our_networks src 192.168.16.0/255.255.255.0
> acl to_localhost dst 127.0.0.0/8
> acl workdays time MTWHF 8:30-12:00
> acl workdays time MTWHF 13:30-18:00
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # Restrict cachemgr access
> http_access allow manager localhost
> http_access deny manager
> # Block access to banned URLs
> http_access deny bad_url workdays
> # Allow users access on workdays
> http_access allow our_networks workdays
The above will not permit network access outside the specific times you
specified in "workdays".
Meaning network access is denied 12pm to 1.30pm and 6pm to 8am.
> #http_access allow out_networks
> # Deny everything else
> http_access deny all
> #
> #
> #Recommended minimum configuration:
Thee following lines are recommended since they ensure safe usage of the
dangerous features Squid provides. They really should be at teh top of
the config.
As it stands any of the workers can open a CONNECT tunnel and give
themselves unlimited access to the Internet.
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> http_access deny bad_url
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>
> 4) All I know is going through the squid as a proxy server disables the
> login prompt. If I just access it with out proxy then I get an
> authentication box.
Sounds like something doing NTLM/Negotiate challenge authentication.
This is generally broken going through proxies.
You will need to look deeper into what is going on. The access.log and
cache.log should have more detail.
>
> 5) Again can you explain this to me for me to get pages blocked to work:
>>>> Yes. Create an ACL for normal login. Adding it to the end of the line
>>>> For example:
>>>> ... login setup
>>>> acl loginACL proxy_auth REQUIRED
>>>> http_access deny our_networks bad_url workdays !loginACL
>
> 6) Will look into WCCP and BSD...thanks
>
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14Received on Fri Oct 09 2009 - 05:38:17 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT