Re: [squid-users] Special access rights to a sub-group of users
Hi Henrik ! I've made several tests with the statement orders. none of them worked... I got the feeling that the acl statement is not understood with only the IP address... Thanks for any help. Regards, Fernanda On 16 Mar 2004, Henrik Nordstrom wrote: On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: Hello Christoph, Thanks for your reply. However, it still doesn't work. I tried to add the subnet mask by the end of the acl line as below, but then access is given to all IPs in the network: acl subgroup src 120.202.200.20/255.255.255.0 There should be NO netmask when specifying individual IP addresses. Only when specifying whole networks should a netmask be used. 120.202.200.20/255.255.255.0 == 120.202.200.0/255.255.255.0 == 120.202.200.0/24 (except that Squid will warn you about the first probably not being what you intended...) http_access allow rionet allowed_ext http_access deny rionet denied_ext morning http_access deny rionet denied_ext afternoon http_access allow rionet http_access allow localhost http_access deny all The key is the order of your http_access rules. The above says 1. rionet is allowed to access allowed_ext 2. else denied if it is morning or afternoon and request matches denied_ext 3. else allowed If you want other rules of another subgroup of rionet you need to have these http_access rules before this. Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Special access rights to a sub-group of users
Hi Henrik ! I've made several tests with the statement orders. none of them worked... I got the feeling that the acl statement is not understood with only the IP address... Thanks for any help. Regards, Fernanda On 16 Mar 2004, Henrik Nordstrom wrote: On Mon, 15 Mar 2004 [EMAIL PROTECTED] wrote: Hello Christoph, Thanks for your reply. However, it still doesn't work. I tried to add the subnet mask by the end of the acl line as below, but then access is given to all IPs in the network: acl subgroup src 120.202.200.20/255.255.255.0 There should be NO netmask when specifying individual IP addresses. Only when specifying whole networks should a netmask be used. 120.202.200.20/255.255.255.0 == 120.202.200.0/255.255.255.0 == 120.202.200.0/24 (except that Squid will warn you about the first probably not being what you intended...) http_access allow rionet allowed_ext http_access deny rionet denied_ext morning http_access deny rionet denied_ext afternoon http_access allow rionet http_access allow localhost http_access deny all The key is the order of your http_access rules. The above says 1. rionet is allowed to access allowed_ext 2. else denied if it is morning or afternoon and request matches denied_ext 3. else allowed If you want other rules of another subgroup of rionet you need to have these http_access rules before this. Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Special access rights to a sub-group of users
Hello again, Henrik! Here is what I tried: acl subgroup src 120.202.200.7 acl rionet src 120.202.200.0/255.0.0.0 acl morning time SMTWHFA 08:30-12:30 acl afternoon time SMTWHFA 13:30-18:30 acl denied_ext url_regex \.zip$ acl denied_ext url_regex \.midi$ \.wav$ acl denied_ext url_regex \.mpe?ga$ \.mp[23]$ \.m3u$ \.r[am]$ \.r[ap]m$ acl denied_ext url_regex \.mp[eg]$ \.mpeg$ \.qt$ \.mov$ .avi$ acl denied_ext url_regex \.exe$ \.com$ \.bin$ \.scr$ \.dll$ \.EXE$ \.Exe$ acl allowed_ext url_regex hotmail.com$ webmail.exe$ iname.com$ http_access allow subgroup http_access allow rionet allowed_ext http_access deny rionet denied_ext morning http_access deny rionet denied_ext afternoon http_access allow rionet http_access allow localhost http_access deny all I had no success.. :-( IP 120.202.200.7 still doesn't have rights to download a .exe file, for example. Thanks once again! Fernanda P.S.: I am using the reconfigure -k parameter after saving squid.conf file --- On 16 Mar 2004, Henrik Nordstrom wrote: On Tue, 16 Mar 2004 [EMAIL PROTECTED] wrote: I've made several tests with the statement orders. none of them worked... So what have you tried? I got the feeling that the acl statement is not understood with only the IP address... It works.. as long as you do not use IP addresses ending in .0 (in which case Squid assumes you meant the network if no mask size is specified) Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Special access rights to a sub-group of users
Hello again, Henrik! Here is what I tried: acl subgroup src 120.202.200.7 acl rionet src 120.202.200.0/255.0.0.0 acl morning time SMTWHFA 08:30-12:30 acl afternoon time SMTWHFA 13:30-18:30 acl denied_ext url_regex \.zip$ acl denied_ext url_regex \.midi$ \.wav$ acl denied_ext url_regex \.mpe?ga$ \.mp[23]$ \.m3u$ \.r[am]$ \.r[ap]m$ acl denied_ext url_regex \.mp[eg]$ \.mpeg$ \.qt$ \.mov$ .avi$ acl denied_ext url_regex \.exe$ \.com$ \.bin$ \.scr$ \.dll$ \.EXE$ \.Exe$ acl allowed_ext url_regex hotmail.com$ webmail.exe$ iname.com$ http_access allow subgroup http_access allow rionet allowed_ext http_access deny rionet denied_ext morning http_access deny rionet denied_ext afternoon http_access allow rionet http_access allow localhost http_access deny all I had no success.. :-( IP 120.202.200.7 still doesn't have rights to download a .exe file, for example. Thanks once again! Fernanda P.S.: I am using the reconfigure -k parameter after saving squid.conf file --- On 16 Mar 2004, Henrik Nordstrom wrote: On Tue, 16 Mar 2004 [EMAIL PROTECTED] wrote: I've made several tests with the statement orders. none of them worked... So what have you tried? I got the feeling that the acl statement is not understood with only the IP address... It works.. as long as you do not use IP addresses ending in .0 (in which case Squid assumes you meant the network if no mask size is specified) Regards Henrik -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
Re: [squid-users] Special access rights to a sub-group of users
Hello Christoph, Thanks for your reply. However, it still doesn't work. I tried to add the subnet mask by the end of the acl line as below, but then access is given to all IPs in the network: acl subgroup src 120.202.200.20/255.255.255.0 Any other hint? Thanks + Regards, Fernanda === On 14 Mar 2004, Christoph Haas wrote: On Sun, Mar 14, 2004 at 03:06:54PM -0300, [EMAIL PROTECTED] wrote: I have the following configuration: acl rionet src 120.202.200.0/255.0.0.0 acl morning time SMTWHFA 08:30-12:30 acl afternoon time SMTWHFA 13:30-18:30 acl denied_ext url_regex \.zip$ acl denied_ext url_regex \.midi$ \.wav$ acl denied_ext url_regex \.mpe?ga$ \.mp[23]$ \.m3u$ \.r[am]$ \.r[ap]m$ acl denied_ext url_regex \.mp[eg]$ \.mpeg$ \.qt$ \.mov$ \.avi$ acl denied_ext url_regex \.exe$ \.com$ \.bin$ \.scr$ \.dll$ \.EXE$ \.Exe$ acl allowed_ext url_regex hotmail.com$ webmail.exe$ iname.com$ http_access allow rionet allowed_ext http_access deny rionet denied_ext morning http_access deny rionet denied_ext afternoon http_access allow rionet http_access allow localhost http_access deny all How do I give total access to a sub-group of the IP range declared in rionet, i.e., IPs 120.202.200.20 and 120.202.200.25 have unrestricted access. The order of the ACLs matters. Just add another ACL on top of the other http_access definitions like this: acl subgroup src 120.202.200.20 acl subgroup src 120.202.200.25 http_access allow subgroup If the list is longer you could as well link to an external file like... acl subgroup src /etc/squid/subgroup.src ...and list the IPs there. Christoph -- ~ ~ .signature [Modified] 3 lines --100%-- 3,41 All -- _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/
[squid-users] Special access rights to a sub-group of users
Hello Everybody ! I have the following configuration: acl rionet src 120.202.200.0/255.0.0.0 acl morning time SMTWHFA 08:30-12:30 acl afternoon time SMTWHFA 13:30-18:30 acl denied_ext url_regex \.zip$ acl denied_ext url_regex \.midi$ \.wav$ acl denied_ext url_regex \.mpe?ga$ \.mp[23]$ \.m3u$ \.r[am]$ \.r[ap]m$ acl denied_ext url_regex \.mp[eg]$ \.mpeg$ \.qt$ \.mov$ \.avi$ acl denied_ext url_regex \.exe$ \.com$ \.bin$ \.scr$ \.dll$ \.EXE$ \.Exe$ acl allowed_ext url_regex hotmail.com$ webmail.exe$ iname.com$ http_access allow rionet allowed_ext http_access deny rionet denied_ext morning http_access deny rionet denied_ext afternoon http_access allow rionet http_access allow localhost http_access deny all How do I give total access to a sub-group of the IP range declared in rionet, i.e., IPs 120.202.200.20 and 120.202.200.25 have unrestricted access. All my tries were unsucessfull. Thanks so much! Fernanda Santos _ Voce quer um iGMail protegido contra vírus e spams? Clique aqui: http://www.igmailseguro.ig.com.br Ofertas imperdíveis! Link: http://www.americanas.com.br/ig/