Re: [squid-users] can not access sites due to acl when using ntlm auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 19 Aug 2004 09:36:34 +0200 (CEST)

On Wed, 18 Aug 2004 Jim_Brouse/PYT@PASCUAYAQUITRIBE.ORG wrote:

>> http_access allow manager localhost
>> http_access deny manager

Ok

>> http_access allow KIOSK.dstdomain
>> http_access allow KIOSK

Is this really what you want?

Allow everyone access to KOISK.dstdomain

Allow KIOSK access to everything.

>> http_access deny KIOSK

This is redundant due to the above.

>> http_access allow MYAIRMAIL

>> http_access allow PAGING

>> http_access deny PAGING

This is redundand. You can not deny what you have already allowed.

>> http_access deny BLOCK.NOT.YAHOO
>> http_access allow YAHOOMESSENGER
>> http_access deny YAHOOMESSENGER

This i redundant.

>> http_access deny BLOCK.NOT.AOL
>> http_access allow AOL
>> http_access deny AOL

This is redundant.

>> http_access deny lab.src lab.dstdomain
>> http_access allow lab.src
>> http_access deny lab.src

This is redundant.

>> http_access allow LOG-ONLY-HOSTS
>> http_access deny NO.NONBLOCK NONBLOCK
>> http_access allow NONBLOCK
>> http_access allow NONPORN
>> http_access deny BLOCK
>> http_access deny MIMEBLOCK
>> http_access deny RESTRICTED-BROWSER
>> http_access deny RESTRICTED-DOM

>> http_access allow manager ADMIN-HOSTS
>> http_access deny manager

This is redundant due to the first two rules already taking care of all
manager access.

>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access deny to_localhost

These should be much higher, before your own first accept rule.

Somewhere before this last deny of everything else it looks like there is
some allow statements missing, allowing access after you have filtered out
all the things you do not want to see..

>> http_access deny all

Regards
Henrik
Received on Thu Aug 19 2004 - 01:36:40 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT