[squid-users] Multiple http_access Logic At the same time
Amos Jeffries
squid3 at treenet.co.nz
Fri Apr 14 14:06:20 UTC 2017
On 15/04/2017 1:25 a.m., Serhat Koroglu wrote:
> Hello,
>
> I'm trying to manage squid users to access the proxy if they logged
> in and the site url is allowed in my url list. They are running one
> by one. If logged in accesses but not check the url and vice versa.
> But I want both of them. Here is my config part.
>
First some concepts:
You do not have any "url list" in the displayed config settings.
You do have a file that is supposed to contain *only* domain names.
Those may have wildcard sub-domains in dstdomain format (domin name
started with a '.'), but URLs and other things are not valid in that file.
Also, http_access does not allow/deny "URLs". It can best be described
as allowing or denying *use of the proxy*. Use of the proxy is a very
different concept to 'URL'.
That is very important to get straight in your head since it directly
affects your understanding of what the ACLs do.
>
> auth_param basic program /usr/bin/php /var/www/html/sqauth.php
> auth_param basic children 20
> auth_param basic realm Username and password
> auth_param basic credentialsttl 5 hours
>
> acl AuthenticatedUsers proxy_auth REQUIRED
>
> acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
> acl all_others dst 0.0.0.0/0.0.0.0
Contrary to what you may think the above "all_others" ACL does not deny
access to everywhere.
It is a bad way to configure:
acl all_others dst ipv4
Also be aware that it can only match IPv4 addresses. So any IPv6-only
domain will happily skip past your denial rule. This has nothing to do
with whether your client or your local network is IPv4-only. It depends
solely on the DNS listed IPs of the destination domain, clients
requesting IPv6-only domains will be allowed to use your proxy.
Use the provided/built-in ACL called "all" when you want to match
everything.
>
> http_access allow allowed_sites
> http_access deny all_others
> http_access allow AuthenticatedUsers
>
When you fix the "deny all_others" stuff so it working as you appear to
intend. Your authentication will "break".
Please read
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for why,
and that should also teach you how to solve your described problem.
Amos
More information about the squid-users
mailing list