<html><head></head><body><div class="ydp370d1f01yahoo-style-wrap" style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 13px;"><div></div>
<div dir="ltr" data-setdir="false">Dear Amos,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Thanks for the quick reply</div><div dir="ltr" data-setdir="false">will check and let you know</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">regards</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">simon</div><div><br></div>
</div><div id="ydp6be494cayahoo_quoted_3177030431" class="ydp6be494cayahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Saturday, October 17, 2020, 06:06:13 AM GMT+3, Amos Jeffries <squid3@treenet.co.nz> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div dir="ltr">On 16/10/20 10:21 pm, simon ben wrote:<br clear="none">> I have squid running perfectly fine on centos 7 64 bit with no issues<br clear="none">> I want to allow certain user ips to access a few sites and block<br clear="none">> everything else so below is the config<br clear="none">> the sites are <br clear="none">> 1) paloaltonetworks.com<br clear="none">> 2) redcloak.secureworks.com<br clear="none">> <br clear="none"><br clear="none">Notice the sitelist file contains the entire range of *.secureworks.com<br clear="none">domains and some others.<br clear="none"><br clear="none"><br clear="none">> in squid.conf<br clear="none">> -------------------<br clear="none">> acl userlist src "/etc/squid/userlist"<br clear="none">> acl sitelist dstdomain "/etc/squid/sitelist"<br clear="none"><br clear="none"><br clear="none"># allow certain user ips to access a few sites<br clear="none">> http_access allow userlist sitelist<br clear="none">> <br clear="none"><br clear="none"># ... and block everything else<br clear="none"><br clear="none">?? nothing specified for that part of your policy.<br clear="none"><br clear="none"><br clear="none">So, you need to followup with either:<br clear="none"><br clear="none"> http_access deny all<br clear="none"><br clear="none">or,<br clear="none"><br clear="none"> http_access deny userips<br clear="none"><br clear="none"><br clear="none">> -------------------<br clear="none">> <br clear="none">> user list file has the ips<br clear="none">> -----------<br clear="none">> 192.168.62.128<br clear="none">> 192.168.62.1<br clear="none">> 192.168.62.129<br clear="none">> 192.168.61.1<br clear="none">> 192.168.62.130<br clear="none">> 192.168.62.3<br clear="none">> 192.168.61.128<br clear="none">> 172.16.120.160<br clear="none">> ------------------------------<br clear="none">> <br clear="none"><br clear="none">Er, these are not "users" these are IP addresses. Aka clients.<br clear="none"><br clear="none">The difference is important because one machine/IP can be used by<br clear="none">multiple users. There is no difference to the proxy whether the IP is<br clear="none">switched between users or shared by multiple simultaneously.<br clear="none"><br clear="none">Also, sorting the file can ease management. There are some entries which<br clear="none">could be represented by a IP-range for more efficient matching instead<br clear="none">of listed individually.<br clear="none"><br clear="none"><br clear="none"><br clear="none">> site list file has the sites<br clear="none">> ----------------------------------------<br clear="none">> .paloaltonetworks.com<br clear="none">> .secureworks.com<br clear="none">> <a shape="rect" href="https://ch-baladia.traps.paloaltonetworks.com" rel="nofollow" target="_blank">https://ch-baladia.traps.paloaltonetworks.com</a><br clear="none">> baladia.xdr.eu.paloaltonetworks.com<br clear="none">> identity.paloaltonetworks.com<br clear="none">> login.paloaltonetworks.com<br clear="none">> assets.adobedtm.com<br clear="none">> www.paloaltonetworks.com<br clear="none">> redcloak.secureworks.com<br clear="none">> <br clear="none">> ------------------------------------------------<br clear="none">> <br clear="none">> I see that the first page and some links are working but some do not .<br clear="none"><br clear="none">Only the first two lines of that file are "sites".<br clear="none"><br clear="none">The third is a URL. This will never match with dstdomain.<br clear="none"><br clear="none">The rest are individual domains. They will only match the one domain<br clear="none">within their site.<br clear="none"><br clear="none">Also, most of your entries are sub-domains of the sites listed on the<br clear="none">first lines. The contents of this file redux to:<br clear="none"><br clear="none"><br clear="none"> .paloaltonetworks.com<br clear="none"> .secureworks.com<br clear="none"> assets.adobedtm.com<br clear="none"><br clear="none"><br clear="none">However, your stated policy says that it should only contain:<div class="ydp6be494cayqt4582027417" id="ydp6be494cayqtfd48326"><br clear="none"><br clear="none"> .paloaltonetworks.com<br clear="none"> .redcloak.secureworks.com</div><br clear="none"><br clear="none"><br clear="none">Amos<br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" href="mailto:squid-users@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="http://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><div class="ydp6be494cayqt4582027417" id="ydp6be494cayqtfd01902"><br clear="none"></div></div></div>
</div>
</div></body></html>