Hello,
i've tried out your config but it doesn't works.
My network is simple : i've got a lan at 10.1.1.0/24, all the users are
from an active directory win2000, connecting by Iexplore 5-6. The squid
server is on a proliant, red hat 9 newly installed.
Everyone from my lan can connect the web, I just need to block ftp, icq,
msn, kazaa, edonkey, etc ! you know ! And control the browsing with
squidguard (it works perfectly well)
thank you for your help
Olivier
Duane Wessels
<[EMAIL PROTECTED]
che.org> To
[EMAIL PROTECTED]
15/12/2003 17:55 cc
[EMAIL PROTECTED]
Subject
Re: [squid-users] problems with
post/get -- may be ! not sure at
all :os
Your access controls are very strange
> acl ACISNETWORK src 10.1.1.0/255.255.255.0
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl CONNECT method GET POST HEAD CONNECT PUT DELETE
> http_access allow manager localhost
> http_access deny manager
> http_access allow ACISNETWORK
The above allows any request from a client in your ACISNETWORK.
It even allows a user to make a CONNECT request to any port, such
as port 25. That allows Squid to be used as a spam relay, and is
a very bad idea.
The rest of these ACLs apply only to request coming from somewhere
except ACISNETWORK.
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
Since you rediefined CONNECT to include other methods, the above would
deny a GET request to port 80, for example. Probably not what you want to
do. You should leave the CONNECT acl with only the connect method.
> http_reply_access allow ACISNETWORK
> http_access deny ACISNETWORK
The above line is not necessary because any request that matches
ACISNETWORK
was already allowed above and will never reach this point in the rules.
> icp_access deny ACISNETWORK
> http_access deny all
> icp_access deny all
I'm not really sure about your setup, but I think your ACL rules should
probably
look like this:
acl ACISNETWORK src 10.1.1.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny CONNECT !SSL_ports
http_access deny !Safe_ports
http_access allow ACISNETWORK
You may want to add more ports to Safe_ports. If you have users on other
networks
(besides ACISNETWORK), you should make another ACL for that network and
allow it also.
Duane W.
