Re: restrict hosts to particular domains

From: Joel Taqueban <[email protected]>
Date: Sat, 27 May 2000 01:15:06 +0800

Henrik,

I hope you wouldn't mind if I try to brought this problem again. It
still have this problem and I tried a number of times playing with the
ACLs but still I can't restrict some IPs or hosts from accessing only a
particular domain. What is a better way of doing this really?

Joel

Henrik Nordstrom wrote:

> You allow all ldap users access to everything without restrictions.
>
> --
> Henrik Nordstrom
> Squid hacker
>
> Joel Taqueban wrote:
> >
> > Thanks for the reply,
> >
> > I've tried making changes to the ACLs. Here is my complete list:
> >
> > acl all src 0.0.0.0/0
> > acl ldap proxy_auth REQUIRED
> > acl allowedsites dstdomain dhl.com
> > acl allowedhosts src 199.40.218.10-15
> > acl allowedtime time S M T W H F A 06:00-21:00
> >
> > http_access allow ldap
> > http_access allow allowedhosts allowedsites
> > http_access allow allowedtime
> > http_access deny all
> >
> > did squid -k reconfigure but still those IPs could still access
> > non-DHL sites
> > And when I look into the cache.log file I can't see any warnings on
> > missing ACL declarations after re-reading the Squid conf file. I
> > even do a "squid --" and it doesn't return me about missing ACLs.
> >
> > Anything or anywhere I need to check please?
> >
> > Joel
> >
> > Henrik Nordstrom wrote:
> >
> > alowe@hislora.com.au wrote:
> > >
> > > try this modified stuff:
> > >
> > > > How do I define on my squid.conf file to restrict
> > particular IPs to
> > > > access only certain domains?
> > > >
> > > > I've tried doing the ff:
> > > >
> > > > acl allowedsites dstdomain dhl.com
> > > > acl allowedhost src 199.40.218.10-15/255.255.255.0
> > > >
> > > ># Remove this line--> http_access allow allowedsites
> > > > http_access allow allowedhost allowed_sites
> > > > http_access deny all
> > >
> > > the line marked remove is actually allowing the
> > allowedsites to access
> > > anything, by just putting the second and third line, you
> > allow them to the
> > > allowed_sites but nowhere else...
> >
> > Not quite.
> >
> > The first line allows everyone access to the host dhl.com.
> >
> > The second line is bungled in two ways:
> > a) There is no allowed_sites ACL defined
> > b) The allowedsites ACL is wrongly defined if your intention
> > is to only
> > match those 6 addresses. The netmask masks out the addresses
> > and the ACL
> > matches the whole class-C subnet. IP host ranges are better
> > written
> > without any netmask.
> >
> > However, this does not explain the behaviour you are seeing.
> >
> > Is there any other http_access lines before your "deny all"
> > line?
> > Is there any warnings about missing ACL declarations in
> > cache.log when
> > Squid is starting up?
> > How is the ACL "all" defined? It SHOULD and MUST be defined
> > as
> > 0.0.0.0/0, nothing else.
> >
> > --
> > Henrik Nordstrom
> > Squid hacker
Received on Fri May 26 2000 - 11:11:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:34 MST