On Thu, 19 Aug 2004 Jim_Brouse/[EMAIL PROTECTED] wrote: > > >> http_access allow KIOSK.dstdomain > >> http_access allow KIOSK > > >>>Is this really what you want? > > >>>Allow everyone access to KOISK.dstdomain > > >>>Allow KIOSK access to everything. > > >> http_access deny KIOSK > > >>>This is redundant due to the above. > > > > > KIOSK is an acl that list what ip can use that acl and KIOSK.dstdomain > list what sites KIOSK can get to and it seems to work good. I did remove > http_access deny KIOSK but when I tried to combine the two statements that > I think I need, > > > >> http_access allow KIOSK.dstdomain > >> http_access allow KIOSK > > into > > > http_access allow KIOSK KIOSK.dstdomain > > That did not work the users in KIOSK can no longer access sites listed at > KIOSK.dstdomain which is the goal.
Perhaps it would be clearer and simpler to write this as two access rules. http_access deny !KIOSK.dstdomain http_access allow KIOSK If I understand your description correctly, your intent is to restrict the accessible resources to those defined in KIOSK.dstdomain. At this point, you really don't care about the system that is attempting to access the resource. The first rule enforces your destination restrictions. A further restriction is that you only want to allow systems defined in KIOSK to use the proxy. The second rule allows members of KIOSK to use the proxy. At the end of each rule set there is an implicit deny all. This may not be entirely accurate. I recall Duane Wessels mentioning somewhere that the implied last rule is the inverse of the last explicit rule. Based on the above example, the implicit rule would be the following. http_access deny !KIOSK In "Squid: The Definitive Guide", Duane Wessels provides several examples where it might be better to use a negated acl to achieve the desired goal. Merton Campbell Crockett -- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: [EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcard