Ah, that was the problem. "http_access allow all" was before the ads deny line. Personally, I think this is silly and that the squid.conf should not configure itself based on the order that acls appear. Thanks for your help, ~M
On Fri, 5 Nov 2004 10:44:34 -0900, Chris Robertson <[EMAIL PROTECTED]> wrote: > Are you saying that the allow all line is first in the conf file? If so, > reverse the order, and you should be set. > > Squid checks the http_access lines in order. The first one to match is all > that matters, so if you have http_access allow all as the first line, > everything will match it, and Squid will never check the others. > > If the server is low traffic enough, you can add debugging options like > "debug_options ALL,1 33,2" to your conf file, and watch the cache log to see > acl testing. It's fairly verbose though (even just at level 2) and not > suitable for a site getting more than a hit per second or so. > > Chris > > -----Original Message----- > From: Matt Alexander [mailto:[EMAIL PROTECTED] > Sent: Friday, November 05, 2004 10:39 AM > To: Chris Robertson > Subject: Re: [squid-users] http_access allow ... > > No errors in cache.log. This worked previously when it was listening > on the external interface and only allowing authenticated users. Is > it a problem having these three lines together? > > http_access allow all > http_access allow localhost > http_access deny ads > > I'm wondering if the allow all overrides the deny line... > > On Fri, 5 Nov 2004 10:19:25 -0900, Chris Robertson <[EMAIL PROTECTED]> > wrote: > > Check your cache.log for a line like: > > > > aclParseAclLine: IGNORING invalid ACL: acl ads dstdom_regex -i > > "/etc/squid/adservers" > > > > If Squid can't find a file, it will start without problem and just ignore > > the acl. > > > > Chris > > > > > > > > -----Original Message----- > > From: Matt Alexander [mailto:[EMAIL PROTECTED] > > Sent: Friday, November 05, 2004 9:53 AM > > To: [EMAIL PROTECTED] > > Subject: [squid-users] http_access allow ... > > > > I'd like Squid to be configured to allow all traffic except for a list > > of ad servers, but it doesn't seem to be working... > > I have the following line in Squid: > > > > acl ads dstdom_regex -i "/etc/squid/adservers" > > http_access deny ads > > > > The adservers file then contains regex expressions for various ad servers, > > etc. > > > > This Squid process is only listening on localhost as it gets the > > request from DansGuardian in front of it. > > > > Here's my acl lines: > > > > acl QUERY urlpath_regex cgi-bin \? > > acl QUERY urlpath_regex download > > acl QUERY urlpath_regex exe > > acl QUERY urlpath_regex zip > > acl QUERY urlpath_regex 160 > > acl ads dstdom_regex -i "/etc/squid/adservers" > > acl all src 0.0.0.0/0.0.0.0 > > acl manager proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > > acl to_localhost dst 127.0.0.0/8 > > acl SSL_ports port 443 563 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 563 # https, snews > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > acl PURGE method PURGE > > > > And here's my http_access lines: > > > > http_access deny ads > > http_access allow PURGE localhost > > http_access allow all > > http_access allow manager localhost > > http_access deny manager > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access allow localhost > > > > Any ideas what I'm missing? > > Thanks, > > ~M > > > > -- > > Get Firefox! > > http://www.mozilla.org/products/firefox/ > > > > -- > Get Firefox! > http://www.mozilla.org/products/firefox/ > -- Get Firefox! http://www.mozilla.org/products/firefox/
