Re: Squid ACLs does not work

To: debian-user@lists.debian.org
Subject: Re: Squid ACLs does not work
From: John Pearson <huiac@camtech.net.au>
Date: Sat, 25 Mar 2000 11:51:57 +1030
Message-id: <[🔎] 20000325115156.A9008@huiac.localnet>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] XFMail.20000324210904.sgaerner@shadow.org>; from sgaerner@shining.shadow.org on Fri, Mar 24, 2000 at 09:09:04PM +0100
References: <[🔎] 20000324145640.D803@huiac.localnet> <[🔎] XFMail.20000324210904.sgaerner@shadow.org>

OK, I've tried it on my setup and the answer seems to be that
you have your http_access statements in the wrong order;
try re-arranging this section of squid.conf as follows:

> >> http_access allow manager localhost
> >> http_access deny manager
> >> http_access allow purge localhost
> >> http_access deny purge
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> http_access deny BanDomains
> >> http_access allow localdomain

AFAICT, squid uses the first matching ACL that it can find;
because you had
 http_access allow localdomain
at the head of the list, squid allows any request from
localdomain without reference to subsequent controls.  This
would also make it important to place these http_access
statements after those controlling access to the cachemanager,
etc.

On Fri, Mar 24, 2000 at 09:09:04PM +0100, sgaerner@shining.shadow.org wrote
> Yes, I ran /etc/init.d/squid restart to reload the config file and the
> /etc/ban_domains.squid is readable to all, so this should no be a problem.
> 
> Sven
> 
> On 24-Mar-2000 John Pearson wrote:
> > On Thu, Mar 23, 2000 at 11:13:42PM +0100, sgaerner@shining.shadow.org wrote
> >> Hi,
> >> 
> >> I have some problems with squid and its ACLs.
> >> 
> >> I'm using Debian 2.2 with Kernel 2.2.13 and squid 2.2STABLE5.
> >> My ACL section in /etc/squid.conf looks like the following.
> >> 
> >> acl all src 0.0.0.0/0.0.0.0
> >> acl manager proto cache_object
> >> acl localhost src 127.0.0.1/255.255.255.255
> >> acl SSL_ports port 443 563
> >> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> >> acl purge method PURGE
> >> acl CONNECT method CONNECT
> >> acl BanDomains dstdomain "/etc/ban_domains.squid"
> >> acl localdomain srcdomain localdomain.own
> >> :
> >> http_access allow localdomain
> >> http_access deny BanDomains
> >> http_access allow manager localhost
> >> http_access deny manager
> >> http_access allow purge localhost
> >> http_access deny purge
> >> http_access deny !Safe_ports
> >> http_access deny CONNECT !SSL_ports
> >> 
> >> And the file /etc/ban_domains.squid looks like...
> >> netscape.com
> >> microsoft.com
> >> msdn.com
> >> realnetworks.com
> >> 
> >> But when I try connect to www.microsoft.com the proxy rersolves the hostname
> >> and connects. (My browser is configured to use the proxy, of course...).
> >> 
> >> Does anyone have an idea where I made a mistake?
> >> 
> > 

HTH,


John P.
-- 
huiac@camtech.net.au
john@huiac.apana.org.au
"Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark

Reply to:

References:
- Re: Squid ACLs does not work
  - From: John Pearson <huiac@camtech.net.au>
- Re: Squid ACLs does not work
  - From: sgaerner@shining.shadow.org

Prev by Date: Syquest EZFLyer support in Linux
Next by Date: Re: Difference between woody and potato
Previous by thread: Re: Squid ACLs does not work
Next by thread: Re: Squid ACLs does not work
Index(es):
- Date
- Thread