Thanks a lot for the reply Amos. I tried the following: acl station-ip src 192.168.1.0/24 acl station-domain dstdomain /usr/local/squid/station-domain.acl http_access allow station-ip station-domain http_access deny kiosk-ip
This order of rules only denies everything instead of allowing atleast domains in station-domain.acl My requirement is that everyone in that subnet should be able to access domains in station-domain.acl only. Sites outside the list have to be blocked for them. On Tue, Sep 1, 2015 at 10:17 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 2/09/2015 1:28 a.m., jake driscoll wrote: > > here is my requirement: > > > >> i have a subnet > >> only a small list of sites need to be allowed access to this subnet > >> this subnet should not get access to any other site except the ones in > the > > list > >> access for other users will remain the same > > > > I tried the following > > > > acl station-ip src 192.168.1.0/24 > > acl station-domain dstdomain www.google.com www.bbc.com > > http_access deny station-ip !station-domain > > > That is correct for "subnet should not get access to any other site > except the ones in the list". > > > But you had more requirements in your description ... > > > ... "sites need to be allowed access to this subnet" > > Meaning you need an allow line somewhere that does that allowing. > Such a line might exist in your config already in another form. > > At worst adding this line directly underneath the ones above will cause > that policy requirement to happen as well: > > http_access allow station-ip > > > ... "access for other users will remain the same" > > Without seeing your full squid.conf http_access rules and all associated > ACL definitions we can't help with that "the same" part. Except to say: > > Order is IMPORTANT. > > Where you place a http_access line in the sequence with *all* other > http_access rules matters a LOT about whether it is even tested, whether > it will match at that time, and what will happen. > > I *guess* you need to place these four new lines near the top of your > list of http_access list right under the default configs "CONNECT > !SSL_ports" line. > > > > > > and also this - > > http_access deny station-ip > > http_access allow station-ip station-domain > > > > Good example of what I mean about order affecting matching. > > 100% of all traffic from station-ip will match that "deny" line. > > The "allow" line will only be reached by non-'station-ip' traffic. It > will thus _never_ match, and does nothing. > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
