Le 18/04/2024 à 18:42:57-0500, Grant Taylor a écrit
> On 4/18/24 2:46 PM, Albert Shih wrote:
> > So what I'm trying to do is to use ACL according to the user who make
> > the ssh connection, I don't want «another» authentication.
>
> About the only thing that comes to mind is RFC 931 (?) ident
On 4/18/24 2:46 PM, Albert Shih wrote:
So what I'm trying to do is to use ACL according to the user who make
the ssh connection, I don't want «another» authentication.
About the only thing that comes to mind is RFC 931 (?) ident (might be
okay on the same system) or something that matches the
Le 18/04/2024 à 18:13:41+0100, Francesco Chemolli a écrit
Hi,
> Sure, of course. It will work just as normal.
> The only type of ACLs that would need to be considered is source-based
Ok, thanks, but just to be sure, because re-reading myself I was not very clear
about my question.
So what I'm
Sure, of course. It will work just as normal.
The only type of ACLs that would need to be considered is source-based
@mobile
On Thu, 18 Apr 2024 at 18:09, Albert Shih wrote:
> Hi everyone
>
> If a user use a ssh tunnel to access to squid like
>
> ssh -L 3128:squid_server:3128 ssh-portal
>
Hi everyone
If a user use a ssh tunnel to access to squid like
ssh -L 3128:squid_server:3128 ssh-portal
then configure his browser to use 127.0.0.1:3128 to access the squid proxy
is they are a way to use «acl by user» in the squid configuration ?
Thanks
--
Albert SHIH 嶺
France
Heure
On 2/26/21 12:45 PM, Justin Michael Schwartzbeck wrote:
> For case 2 and 3, what you are saying is that the browser is requesting
> the DNS lookup first, correct?
Correct, but that does not really matter.
> Hence the need for a reverse DNS from
> squid, since squid does not know at that point
Thanks for your answers Alex.
For case 1, I understand that should not be a problem, since squid is the
one asking for DNS resolution.
For case 2 and 3, what you are saying is that the browser is requesting the
DNS lookup first, correct? Hence the need for a reverse DNS from squid,
since squid
On 2/26/21 7:35 AM, Justin Michael Schwartzbeck wrote:
>> Yes, many HTTPS transactions do not expose destination domain until it
>> is too late to decide whether to bump them, and reverse DNS lookups are
>> often unreliable.
> I wonder why this would be.
I suspect you assume that a forward DNS
On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote:
> I have thus far used dstdomain acl for bypassing ssl bump on sites that
> we don't want to decrypt, like banking sites. It seems to work for some
> sites, but not for others.
Yes, many HTTPS transactions do not expose destination domain
Hi all,
I have thus far used dstdomain acl for bypassing ssl bump on sites that we
don't want to decrypt, like banking sites. It seems to work for some sites,
but not for others.
I see the following post on this from some years back:
I'm trying to find a way to setup an ACL to filter on only Apple IPhone (IOS).
Is there a method for implementation. I'm assuming it would find the
information in the header and filter on that.
Thank you
David
Piper Jaffray & Co. Since 1895. Member SIPC and
] On Behalf
Of Amos Jeffries
Sent: Friday, November 07, 2014 4:29 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid ACL, SSL-BUMP and authentication questions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 7/11/2014 8:35 p.m., squid-list wrote:
Hi, * **Access to google maps
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 7/11/2014 11:04 p.m., sq...@icshk.com wrote:
Hi Amos,
The configuration I post last time still cannot accomplish the
tasks.
I said the task was not possible.
You are trying to decide whether to authenticate, based on details
that will not be
Hello all,
As our company policy only allow some machines to access to some SSL website
URL(eg. https://www.google.com/maps). However, they do not have access to
https://www.google.com/ Before, we tried to implement authentication,
everything works fine. We try to allow https access to
Hi!
I'm trying to configure a squid acl to control what soap requests are
allowed to a backend web server..
Only I cannot see a configuration parameter directly specific to SOAP
(or XML) protocol. Or even a way to integrate the POST message content
in a helper application..
I have looked into
On 15/10/2013 3:48 p.m., James Shirley wrote:
Hi!
I'm trying to configure a squid acl to control what soap requests are
allowed to a backend web server..
Only I cannot see a configuration parameter directly specific to SOAP
(or XML) protocol. Or even a way to integrate the POST message content
Hello,
i'm using squid 2.6 Version 2.6.STABLE21 (provided with CentOS 5.x), using NTLM
AUTH.
Since I'm able to apply ACLs to Windows Groups, I'm just wondering if I can
apply an ACL only to a single user.
Should I need to create a group only for that user and apply an acl to that
group or
Hi All.
I have my question about the use of “acl port ” in squid.conf.
Generally the proxy has the following three cases:
1. Standard proxy cache server: In order to realize this approach, We must
indicate the Ip and port of proxy server in the browser of everyone internal
host.
2.
On Wed, 30 Sep 2009 09:46:04 +0800, wangwen wangw...@126.com wrote:
Hi All.
I have my question about the use of “acl port ” in squid.conf.
Generally the proxy has the following three cases:
1. Standard proxy cache server: In order to realize this approach, We
must
indicate the Ip and
I got it,Thanks for your replies.
- Original Message -
From: Amos Jeffries squ...@treenet.co.nz
To: wangwen wangw...@126.com
Cc: squid-users@squid-cache.org
Sent: Wednesday, September 30, 2009 10:29 AM
Subject: Re: [squid-users] Squid acl port
On Wed, 30 Sep 2009 09:46:04 +0800
hi,
iv been trying for hours to try and get this to work,
basicly this is what i am wanting to do,
Deny if requested is not on allowed port
Allow local users accounts (got this working)
Allow if the requested url is *.mydomain.com
Deny if no the above
below what im using, - all the fully
CopyrightPhilly wrote:
hi,
iv been trying for hours to try and get this to work,
basicly this is what i am wanting to do,
Deny if requested is not on allowed port
Allow local users accounts (got this working)
Allow if the requested url is *.mydomain.com
Deny if no the above
below what im
[mailto:[EMAIL PROTECTED]
Sent: Thursday, August 02, 2007 9:25 AM
To: Heaton, Tobias
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid ACL Problem
Heaton, Tobias wrote:
Hello - I hope I'm writing to the correct place!
I have Squid running on RHAS4 and it has been running perfectly
Hello - I hope I'm writing to the correct place!
I have Squid running on RHAS4 and it has been running perfectly for some
time. I added some new ACLs and http_access protocols mirroring exactly
what existed. I then reconfigured the squid client and even restarted
the machine itself, and I
Heaton, Tobias wrote:
Hello - I hope I'm writing to the correct place!
I have Squid running on RHAS4 and it has been running perfectly for some
time. I added some new ACLs and http_access protocols mirroring exactly
what existed. I then reconfigured the squid client and even restarted
the
To: Heaton, Tobias
Cc: Squid Users
Subject: Re: [squid-users] Squid ACL Problem
Post your DENIED log entries in access.log.
Most probably apple.com site is using other domains different than
apple.com. So, despite apple.com is allowed, those others are denied and
the page cannot be accessed
Post your DENIED log entries in access.log.
Most probably apple.com site is using other domains different than
apple.com. So, despite apple.com is allowed, those others are denied and
the page cannot be accessed.
Post your DENIED logs please.
Heaton, Tobias escreveu:
The
Heaton, Tobias escreveu:
No log entries are appearing from a network machine on the same subnet. The
only way I can generate an access.log entry is running the squidclient app w/
the URL:
squidclient http://www.apple.com
access.log:
247 127.0.0.1 TCP_MISS/200 10226 GET
It was a DNS zone problem that I've resolved. Thanks for all your help!
-Original Message-
From: Leonardo Rodrigues Magalhães [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 02, 2007 12:12 PM
To: Heaton, Tobias
Cc: Squid Users
Subject: Re: [squid-users] Squid ACL Problem
Heaton
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 06 July 2007 00:22
To: Christian Vallant
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid ACL
Hello,
i need to solve following problem.
I have an ldap-server, which i use to authenticate
Hello,
i need to solve following problem.
I have an ldap-server, which i use to authenticate the user.
If the user is in the group, he has access to the group A. If the
authentications fails, he has access to the group B.
Can anyone tell me, how i can solve this problem.
I have already have an
Hello,
i need to solve following problem.
I have an ldap-server, which i use to authenticate the user.
If the user is in the group, he has access to the group A. If the
authentications fails, he has access to the group B.
Can anyone tell me, how i can solve this problem.
I have already
Hello,
I would like to setup squid this way.
All client from internal network(172.16.0.0) could reach external server
15.14.13.12 on all port.
Many thanks.
[EMAIL PROTECTED] wrote:
Hello,
I would like to setup squid this way.
All client from internal network(172.16.0.0) could reach external server
15.14.13.12 on all port.
Many thanks.
acl clients src 172.16.0.0/16
acl server dst 15.14.13.12
http_access allow clients server
Proper placement
.nhs.uk
cache_peer_access 3.3.3.3 allow NHS
cache_peer_access 3.3.3.3 allow NWW
never_direct allow NWW
-Original Message-
From: Chris Robertson [mailto:[EMAIL PROTECTED]
Sent: 19 September 2006 19:56
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid ACL (Is this Possible
ons 2006-09-20 klockan 11:28 +0100 skrev Mehmet, Levent (Accenture):
Thanks
Please can you explain what this line means with its characters:
acl NWW dstdom_regex \.?nww\.
maybe a dot followed by nww followed by a dot, anywhere in the hostname
component of the requested URL.
Probably
All
I currently have a setup which sends different domains to different
Cache_peers. This has been working fine with the below config.:
cache_peer 1.1.1.1 parent 80 80 no-query
cache_peer 2.2.2.2 parent 80 80 no-query
cache_peer 3.3.3.3 parent 3128 3130 no-query
cache_peer_domain 3.3.3.3
Mehmet, Levent (Accenture) wrote:
All
I currently have a setup which sends different domains to different
Cache_peers. This has been working fine with the below config.:
cache_peer 1.1.1.1 parent 80 80 no-query
cache_peer 2.2.2.2 parent 80 80 no-query
cache_peer 3.3.3.3 parent 3128 3130
* Jason Bassett [EMAIL PROTECTED] wrote:
I am therefore looking for the easiest and most time effective method
of blocking rooms when required. Hostnames seemed to be the best way.
Any ideas on this issue?
Restricting access an a per user Basis can also be done... just install
an ident
Hello
I work in a secondary school with 5 IT suites each with 20-30 computers. I
have created an acl for each room containing the hostnames of the machines
for examle, an acl called R32 for room 32 contains:
R32001
R32002
...
R32030
If I set this acl to deny, not all machines are denied
Jason Bassett wrote:
Hello
I work in a secondary school with 5 IT suites each with 20-30
computers. I have created an acl for each room containing the
hostnames of the machines for examle, an acl called R32 for room 32
contains:
R32001
R32002
...
R32030
If I set this acl to deny, not
I have a LAN with DHCP, and sometimes the ip addresses change, worse
still i have many subnets.
how should i structure my acl's to involve as little administration as
possible.
only a privileged few should access internet.
--
Peter Collins Wasenda
Network Administrator
, 2006 7:15 AM
To: squid-users@squid-cache.org
Subject: [squid-users] squid acl dhcp
I have a LAN with DHCP, and sometimes the ip addresses change, worse
still i have many subnets.
how should i structure my acl's to involve as little administration as
possible.
only a privileged few should access
tis 2006-03-14 klockan 15:14 +0300 skrev [EMAIL PROTECTED]:
I have a LAN with DHCP, and sometimes the ip addresses change, worse
still i have many subnets.
how should i structure my acl's to involve as little administration as
possible.
Use authentication.
Regards
Henrik
signature.asc
* On 14/03/06 15:14 +0300, [EMAIL PROTECTED] wrote:
|
| I have a LAN with DHCP, and sometimes the ip addresses change, worse
| still i have many subnets.
| how should i structure my acl's to involve as little administration as
| possible.
|
| only a privileged few should access internet.
to have
squidGuard email offenders dynamically when they hit websites they
shouldn't have.
- Nick
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 7:24 AM
To: Nick Duda
Subject: RE: [squid-users] squid acl dhcp
thanks for your timely answer
Dear Squid Enlightened,
I was looking for a way by which I could filter the content as per the group
Example:
I have a group named Text , and Graphics
The users belonging to the Text group must be able to only view the
text of any website i.e all the Graphics , Flash gets restricted to
these
Dear all,
I read from http://esikker.dk/vul_14462.php says that
A bug in Squid allows users to bypass certain access controls by passing a
URL containing %00 which exploits the Squid decoding function.
This may insert a NUL character into decoded URLs, which may allow
users to
bypass url_regex
On Tue, 15 Feb 2005, Yong Bong Fong wrote:
A bug in Squid allows users to bypass certain access controls by passing a
URL containing %00 which exploits the Squid decoding function.
See http://www.squid-cache.org/Advisories/SQUID-2004_1.txt for details of
this old vulnerability.
Does it mean that
Dear All
Requirement has arisen to provide access to a group of machine
categorized based on IP address.
ACL created is as follows:-
acl fulltime_ip 10.10.10.40-10.10.10.254
acl slot1_ip src 10.10.10.25 10.10.10.3010.10.10.35
acl slot1_time time 08:00-10:00
acl slot2_ip src 10.10.10.39
-Original Message-
From: thomas [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 8:16 AM
To: squid-users@squid-cache.org
Subject: [squid-users] SQUID- ACL for different time frame for different
block of IP addresses.
Dear All
Requirement has arisen to provide access
Hi Thomas
I am not familiar too, but I write my acl-s different
I deny every trafic I don't want to have
the http_access allow Safe_ports ... allows everything i htink
the restrictions would I write
acl time1 time 08:00-10:00
acl time2 time 10:00-12:00
http_access deny slot1_ip !time1
On Sun, Sep 12, 2004 at 12:57:16PM +0200, Marek Pawinski wrote:
I want to bypass my proxy server for a certain https url with a certain
port, i have tried with webmin with no luck. What would i put in
squid.conf to achieve this ?
What part of squid do you want to bypass? Obviously you cannot
deny1 wrote:
hello good morning
i am setting squid with the ncsa_auth plugin
here is my acls in squid.conf
Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localdomain src 192.168.0.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports
--- deny1 [EMAIL PROTECTED] a écrit : hello good
morning
i am setting squid with the ncsa_auth plugin
here is my acls in squid.conf
Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localdomain src 192.168.0.0/255.255.255.0
acl
hello good morning
i am setting squid with the ncsa_auth plugin
What is your authentication program setting in squid.conf file?
Regards,
Muthukumar.
---
=== It is a Virus Free Mail ===
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 /
Who is Users?
see http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth
ihave created /etc/squid/users and write my users and pass
after i add in my webmin's authentification plugin
/usr/lib/squid/ncsa_auth /etc/squid/usersUsers
A++
deny1 wrote:
Who is Users?
see
http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth
ihave created /etc/squid/users and write my users and pass
after i add in my webmin's authentification plugin
/usr/lib/squid/ncsa_auth /etc/squid/usersUsers
A++
But in your squid.conf isn'
after i add in my webmin's authentification plugin
/usr/lib/squid/ncsa_auth /etc/squid/usersUsers
Change the permission of the /etc/squid/usersUsers file to cache_effective_user
setting user permission.
You have to put a line
auth_param basic program /usr/lib/squid/ncsa_auth
But you do not 'tell' him the program authentication:
the line with :
authenticate_program /.../ncsa_auth file_with_users !!
ok i think its a bad think to use webmin with squid
i prefer now to add directly to squid.conf
so i try
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
Hi,
i'm using squid2.4stable7 and trying to stop user from
downloading large file and access some server.this is
my ACL:
#My Access List
acl limit_conn src 192.168.1.0/24
acl 6conn maxconn 6
acl post method post
acl exe urlpath_regex -i \.exe$
acl local src 192.168.1.0/24
acl download
I don't know if this will solve it but I have this rule at the end of my acl
(denies everything that doesn't match your rule)
http_access deny all
-Original Message-
From: Skarbet [mailto:[EMAIL PROTECTED]
Sent: Monday, May 17, 2004 8:36 AM
To: [EMAIL PROTECTED]
Subject: [squid-users
]
fr cc:
Subject: [squid-users] Squid ACL
On Mon, May 17, 2004 at 02:36:20PM +0200, Skarbet wrote:
i'm using squid2.4stable7 and trying to stop user from
downloading large file and access some server.this is
my ACL:
#My Access List
acl limit_conn src 192.168.1.0/24
acl 6conn maxconn 6
acl post method post
acl exe
On Fri, 19 Sep 2003, Payal Rathod wrote:
What if I have to allow from time 09:00-10:00 and 6:00-07:00 too with
lunchbreak?
I mean the users can access hotmail, yahoo in the abvoe 3 hours only.
Then replace lunchbreak with the following
acl coffeebreak time 09:00-10:00
acl coffeebreak time
On Fri, Sep 19, 2003 at 02:14:49PM +0200, Henrik Nordstrom wrote:
On Fri, 19 Sep 2003, Payal Rathod wrote:
What if I have to allow from time 09:00-10:00 and 6:00-07:00 too with
lunchbreak?
I mean the users can access hotmail, yahoo in the abvoe 3 hours only.
Then replace lunchbreak
Then replace lunchbreak with the following
acl coffeebreak time 09:00-10:00
acl coffeebreak time 13:00-14:00
acl coffeebreak time 18:00-19:00
Wowww! I thought that three acls by the same name might
create a problem.
No, all it does is combine them - just as if you did:
acl coffeebreak
On Fri, 19 Sep 2003, Payal Rathod wrote:
Wowww! I thought that three acls by the same name might create a
problem.
Not as long as you always stuff the same type of content into the acl.
For most ACLs you can list as many things as you want to match on the same
line, or on multiple lines.
The time acl is an exception that you can only list a single time
per
line, but you can still list multiple lines.
That I did not know - thanks for the correction.
Adam
I am at a loss to configure squid acl meeting the following
requirements.
There is a Squid FAQ on how acl and http_access logic works; read that
if you haven't already.
You'll need src, time, and dstdomain acls to get this to work, and
you'll need to order them in http_acces properly. More
On Thu, 18 Sep 2003, Payal Rathod wrote:
Hi,
I am at a loss to configure squid acl meeting the following
requirements.
1. All clients must have internet access throughout the day.
acl my_network src 192.168.10.0/24 ...
[used below]
2. Clients 192.168.10.1, 192.168.10.2, 192.168.10.5
71 matches
Mail list logo