[squid-users] Hole in my thinking

From: Bobby <bobby@dont-contact.us>
Date: Thu, 7 Jun 2007 15:30:42 -0400

Hi List,

I've been battling with this configuration and at this point I don't think I'm
seing straight. The idea is to have a few groups with some specific access
tables for each of them. But somehow, besides for manager, it either lets
them all through or none, rather than following the valid -http access lists.

Please help me see the errors of my way!

This is running on openbsd where pf is redirecting traffic from 80 to 3128 on
the loopback device.

--------------------------------------------------
http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 5203
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

acl our_networks src 172.16.10.0/24
#http_access allow our_networks

http_access allow Safe_ports

# Each src file has a list of internal IP's, and each dst file
#has a list of domains they can visit.
acl operators-src src "/etc/squid/T_operators"
acl operators-dst dst "/etc/squid/T_operators-http"
acl managers-src src "/etc/squid/T_managers"
acl managers-dst dst "/etc/squid/T_managers-http"
acl servers-src src "/etc/squid/T_servers"
acl servers-dst dst "/etc/squid/T_servers-http"
acl finance-src src "/etc/squid/T_finance"
acl finance-dst dst "/etc/squid/T_finance-http"
acl admins-src src "/etc/squid/T_admins"
acl admins-dst dst all

acl clients src 0.0.0.0/0.0.0.0
acl client-http dst 172.16.10.3

http_access allow managers-src managers-dst
http_access allow operators-src operators-dst
http_access allow admins-src admins-dst
http_access allow servers-src servers-dst
http_access allow finance-src finance-dst
http_access allow clients client-http

http_access deny all
http_reply_access deny all
icp_access allow all

visible_hostname gw0.example.com

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/squid/cache

-- 
Bobby
Received on Thu Jun 07 2007 - 13:30:48 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT