[squid-users] Multiple http_access Logic At the same time

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 14 14:06:20 UTC 2017


On 15/04/2017 1:25 a.m., Serhat Koroglu wrote:
> Hello,
> 
> I'm trying to manage squid users to access the proxy if they logged
> in and the site url is allowed in my url list. They are running one
> by one. If logged in accesses but not check the url and vice versa.
> But I want both of them. Here is my config part.
> 

First some concepts:

You do not have any "url list" in the displayed config settings.

You do have a file that is supposed to contain *only* domain names.
Those may have wildcard sub-domains in dstdomain format (domin name
started with a '.'), but URLs and other things are not valid in that file.


Also, http_access does not allow/deny "URLs". It can best be described
as allowing or denying *use of the proxy*. Use of the proxy is a very
different concept to 'URL'.

That is very important to get straight in your head since it directly
affects your understanding of what the ACLs do.




> 
> auth_param basic program /usr/bin/php /var/www/html/sqauth.php
> auth_param basic children 20
> auth_param basic realm Username and password
> auth_param basic credentialsttl 5 hours
> 
> acl AuthenticatedUsers proxy_auth REQUIRED
> 
> acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
> acl all_others dst 0.0.0.0/0.0.0.0

Contrary to what you may think the above "all_others" ACL does not deny
access to everywhere.

It is a bad way to configure:

  acl all_others dst ipv4


Also be aware that it can only match IPv4 addresses. So any IPv6-only
domain will happily skip past your denial rule. This has nothing to do
with whether your client or your local network is IPv4-only. It depends
solely on the DNS listed IPs of the destination domain, clients
requesting IPv6-only domains will be allowed to use your proxy.

Use the provided/built-in ACL called "all" when you want to match
everything.


> 
> http_access allow allowed_sites
> http_access deny all_others
> http_access allow AuthenticatedUsers
> 

When you fix the "deny all_others" stuff so it working as you appear to
intend. Your authentication will "break".

Please read
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for why,
and that should also teach you how to solve your described problem.

Amos



More information about the squid-users mailing list