Re: restrict hosts to particular domains

From: Henrik Nordstrom <[email protected]>
Date: Wed, 03 May 2000 20:20:23 +0200

You allow all ldap users access to everything without restrictions.

--
Henrik Nordstrom
Squid hacker
Joel Taqueban wrote:
> 
> Thanks for the reply,
> 
> I've tried making changes to the ACLs.   Here is my complete list:
> 
>      acl all src 0.0.0.0/0
>      acl ldap proxy_auth REQUIRED
>      acl allowedsites dstdomain dhl.com
>      acl allowedhosts src 199.40.218.10-15
>      acl allowedtime time S M T W H F A 06:00-21:00
> 
>      http_access allow ldap
>      http_access allow allowedhosts allowedsites
>      http_access allow allowedtime
>      http_access deny all
> 
> did squid -k reconfigure but still those IPs could still access
> non-DHL sites
> And when I look into the cache.log file I can't see any warnings on
> missing ACL declarations after re-reading the Squid conf file.   I
> even do a "squid --" and it doesn't return me about missing ACLs.
> 
> Anything or anywhere I need to check please?
> 
> Joel
> 
> Henrik Nordstrom wrote:
> 
>      alowe@hislora.com.au wrote:
>      >
>      > try this modified stuff:
>      >
>      > > How do I define on my squid.conf file to restrict
>      particular IPs to
>      > > access only certain domains?
>      > >
>      > > I've tried doing the ff:
>      > >
>      > > acl allowedsites dstdomain dhl.com
>      > > acl allowedhost src 199.40.218.10-15/255.255.255.0
>      > >
>      > ># Remove this line--> http_access allow allowedsites
>      > > http_access allow allowedhost allowed_sites
>      > > http_access deny all
>      >
>      > the line marked remove is actually allowing the
>      allowedsites to access
>      > anything, by just putting the second and third line, you
>      allow them to the
>      > allowed_sites but nowhere else...
> 
>      Not quite.
> 
>      The first line allows everyone access to the host dhl.com.
> 
>      The second line is bungled in two ways:
>      a) There is no allowed_sites ACL defined
>      b) The allowedsites ACL is wrongly defined if your intention
>      is to only
>      match those 6 addresses. The netmask masks out the addresses
>      and the ACL
>      matches the whole class-C subnet. IP host ranges are better
>      written
>      without any netmask.
> 
>      However, this does not explain the behaviour you are seeing.
> 
>      Is there any other http_access lines before your "deny all"
>      line?
>      Is there any warnings about missing ACL declarations in
>      cache.log when
>      Squid is starting up?
>      How is the ACL "all" defined? It SHOULD and MUST be defined
>      as
>      0.0.0.0/0, nothing else.
> 
>      --
>      Henrik Nordstrom
>      Squid hacker
Received on Wed May 03 2000 - 12:40:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:15 MST