Re: [squid-users] can not access sites due to acl when using ntlm auth

Thu, 19 Aug 2004 16:19:40 -0700 

On Thu, 19 Aug 2004 Jim_Brouse/[EMAIL PROTECTED] wrote:

> 
> >> http_access allow KIOSK.dstdomain
> >> http_access allow KIOSK
> 
> >>>Is this really what you want?
> 
> >>>Allow everyone access to KOISK.dstdomain
> 
> >>>Allow KIOSK access to everything.
> 
> >> http_access deny KIOSK
> 
> >>>This is redundant due to the above.
> 
> 
> 
> 
>  KIOSK is an acl that list what ip can use that acl and KIOSK.dstdomain
> list what sites KIOSK can get to and it seems to work good.  I did remove
> http_access deny KIOSK but when I tried to combine the two statements that
> I think I need,
> 
> 
> >> http_access allow KIOSK.dstdomain
> >> http_access allow KIOSK
> 
> into
> 
> > http_access allow KIOSK KIOSK.dstdomain
> 
> That did not work the users in KIOSK can no longer access sites listed at
> KIOSK.dstdomain which is the goal.

Perhaps it would be clearer and simpler to write this as two access rules.

        http_access deny  !KIOSK.dstdomain
        http_access allow KIOSK

If I understand your description correctly, your intent is to restrict the 
accessible resources to those defined in KIOSK.dstdomain.  At this point, 
you really don't care about the system that is attempting to access the 
resource.  The first rule enforces your destination restrictions.

A further restriction is that you only want to allow systems defined in 
KIOSK to use the proxy.  The second rule allows members of KIOSK to use 
the proxy.

At the end of each rule set there is an implicit deny all.  This may not 
be entirely accurate.  I recall Duane Wessels mentioning somewhere that 
the implied last rule is the inverse of the last explicit rule.  Based on 
the above example, the implicit rule would be the following.

        http_access deny  !KIOSK

In "Squid:  The Definitive Guide", Duane Wessels provides several examples 
where it might be better to use a negated acl to achieve the desired goal.

Merton Campbell Crockett

-- 
BEGIN:                          vcard
VERSION:                        3.0
FN:                             Merton Campbell Crockett
ORG:                            General Dynamics Advanced Information Systems;
                                Intelligence and Exploitation Systems
N:                              Crockett;Merton;Campbell
EMAIL;TYPE=internet:            [EMAIL PROTECTED]
TEL;TYPE=work,voice,msg,pref:   +1(805)497-5045
TEL;TYPE=work,fax:              +1(805)497-5050
TEL;TYPE=cell,voice,msg:        +1(805)377-6762
END:                            vcard

Reply via email to