> With this ACL's
>
> No client in the a.b.c.129-255 can browse using the proxy
>
> more than only the 'localhost' can access the 'manager'.
>
> I would like to only have access to 'manager' from 'localhost'
>
> and any IP in the range of a.b.c.129-255 with the netmask
> 255.255.255.128 can use the cache. I mean all the half class C.
>
> Bye
> Carlos Barros.
Hola,
ACLs in Suqid are linear, which means that if you insert a ACL say
'http_access deny all', it won't go any further to see if there is any
other ACL.
So as your ACL 'clients' is inserted after the deny all ACL, it is not
read.
In order to let only 'localhost' access to the 'manager' protocol,
you should tell SQUID to refuse any connection to 'manager' unless it is
from 'localhost'. To do so, you must use the wildcard '!' which means
NOT
http_acces deny manager !localhost (deny acces to manager NOT localhost)
so your ACLs should go:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
acl clients src a.b.c.129-a.b.c.255/255.255.255.128
#Default configuration:
http_access deny manager !localhost
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow clients
http_access deny all
icp_access allow all
miss_access allow all
You can find the entire documentation for Squid on the web site :
http://cache.is.co.za/squid/
and a user guide where everything is very clear.
See you and happy new year;-)
Olivier Palliere ./.
CommonWay Inc.
Network Security Engineer
Consultant
Voice: +33 153 204 870
Fax : +33 153 204 092
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
