On Wed, 17 Dec 2003, Xpression wrote:
> Hi list, I'm trying to deny some users to navigate at
> certain times, I've created two users group (FULL_USERS [1]
> and LIMITED_USERS [2]) and TIMES acl to achieve it, but it
> doesn't works, group1 cannot access the cache, any clues ???
> Thanks...
like this:
http_access allow FULL_USERS
http_access allow LIMITED_USERS TIMES
http_access deny LIMITED_USERS
>
> acl LAN src 192.168.1.0/24
> acl CUBA src 192.168.2.8/29
> acl INTERNET src 192.168.2.16/29
> acl DOMAIN_CU dstdomain .cu
> acl BLOCKED_WORDS url_regex -i
> "/usr/local/squid-2.5/etc/blocked_words"
> acl BLOCKED_IPS dst "/usr/local/squid-2.5/etc/blocked_ips"
> acl BLOCKED_SITES dstdom_regex -i
> "/usr/local/squid-2.5/etc/blocked_sites"
> acl FULL_USERS proxy_auth
> "/usr/local/squid-2.5/etc/full_users"
> acl LIMITED_USERS proxy_auth
> "/usr/local/squid-2.5/etc/limited_users"
> acl TIMES time M-F 8:00-18:00
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl CONNECT method CONNECT
>
> http_access allow LAN
> http_access allow CUBA DOMAIN_CU FULL_USERS
> http_access allow CUBA DOMAIN_CU TIMES LIMITED_USERS
> http_access allow INTERNET FULL_USERS
> http_access allow INTERNET TIMES LIMITED_USERS
> http_access allow manager localhost
>
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny BLOCKED_WORDS
> http_access deny BLOCKED_IPS
> http_access deny BLOCKED_SITES
> http_access deny all
You need to realize that the http_access rules are checked in order.
This means that once a request is allowed by a rule at the top,
it cannot be denied by a rule at the bottom.
You probably want to put your deny rules (except for deny all!) at the
top of the list.
Duane W.
