> # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > # > http_access allow myAllow all <---- becomes "http_access allow > all" after Netfilter REDIRECT is switched back on. > http_access deny myDeny all > http_access allow localhost > http_access allow intranet > # And finally deny all other access to this proxy > http_access deny all
Are you really sure the above is what you want?
http_access allow myAllow all
gives everyone in the whole world access to any sites matching "myAllow".
I think what you want is
http_access allow localhost http_access allow myAllow intranet http_access deny myDeny http_acces allow intranet
Regarding the Netfilter issue, what do you get in access.log?
The problem here is that "http_access myAllow all" let's people load pages that _match myDeny_ and _do not match_ myAllow. Repeat: URL match myDeny but NOT match myAllow are going through for a box on intranet! This is the problem.
1055809010.610 17 10.1.0.100 TCP_IMS_HIT/304 201 GET http://global.msads.net
/ads/PROHO2/00292SI0005_D1.gif - NONE/- image/gif
1055809010.624 160 10.1.0.100 TCP_MISS/200 464 GET http://h.msn.com/c.gif?RF=
http%3a%2f%2fsea1fd%2esea1%2ehotmail%2emsn%2ecom%2fcgi%2dbin%2fHoTMaiL%3fcurmbox
%3dF000000005%26a%3d7XXXXXXXXXXXXXXX3f9ce%26DoEmpty%3d1&PI=44364&DI=7
474&PS=8315 - DIRECT/207.68.177.123 image/gif
1055809010.772 147 10.1.0.100 TCP_REFRESH_HIT/304 191 GET http://global.msads
.net/ads/HOTBOS/0010395240007_LG.gif - DIRECT/63.236.2.126 -
The above matches myDeny only (and not myAllow) and it's going through!! http_access should have DENY this!
I have to restart Squid for "http_access allow myAllow all" to work properly again - ie. deny pages that match myDeny and not match myAllow.
After I restart squid it works properly and I get this...
1054901999.504 44 10.1.0.100 TCP_DENIED/403 1052 GET http://ad.doubleclick.n
et/ad/N2434.msn/B1178769;sz=1x1 - NONE/- -
1054901999.666 51 10.1.0.100 TCP_DENIED/403 1058 GET http://global.msads.net
/ads/abuimg/chrysler_msn_otp_4.swf - NONE/- -
1054902000.359 204 10.1.0.100 TCP_REFRESH_HIT/304 319 GET http://sc.msn.com/c
/portal/misc/tp.gif - DIRECT/207.68.172.236 -
because it matches myDeny only (doesn't match myAllow).
But after I switch off Netfilter REDIRECT for a few hours, then switch on Netfilter REDIRECT. The problem returns and that is Squid is allowing everything through even those that match myDeny only.
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
