Help with squid

Hi there,

Sorry if this is in the wrong group but am looking for urgent help on
this one...

Somewhat of a newbie when it comes to squid and the boss has asked me
to set it up for our internal lan. I have it denying stuff that we
don't want the users to get to but the stuff we do want them to get to
it is timing out.

The acl lists we have are:
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port # webmin 10000
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl DeniedAgentSites dstdomain .google.com .yahoo.com .hotmail.com
..theage.com.au .msn.com
acl all src 172.16.56.0-172.16.56.254/255.255.255.255
192.168.0.0-192.168.0.254/255.255.255.255
acl DeniedAgentIPs dst 65.54.239.0-65.54.239.0/255.255.255.0
acl AllowedAgentSites dstdomain .dactive.com.au .eway.com .eway.com.au
..powerdirect.com .powerdirect.com.au .verisign.com .verisign.com.au
acl AgentWebsites dst 172.16.56.0-192.168.0.0/255.255.255.0

And the proxy restrictions are as follows:
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow AllowedAgentSites
http_access deny !AllowedAgentSites
http_access allow localhost

Why does this setup deny not AllowedAgentSites (as you would hope it
would work) but not let through the AllowedAgentSites? It ends up
switching to the autosearch thing which just gets blocked cos it's not
part of the Allowed list. I basically want anything in the
AllowedAgentSites acl to be let through the proxy and any other site to
be denied.

Cheers in advance.

Bj

This one *can* be frustrating. It has to do with the ordering of the
"commands." You can't allow something after you've already denied it.
Try putting you allow statements before the deny statements, but test
carefully for unexpected results.

MT

(E-Mail Removed) wrote:
> Hi there,
>
> Sorry if this is in the wrong group but am looking for urgent help on
> this one...
>
> Somewhat of a newbie when it comes to squid and the boss has asked me
> to set it up for our internal lan. I have it denying stuff that we
> don't want the users to get to but the stuff we do want them to get to
> it is timing out.
>
> The acl lists we have are:
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port # webmin 10000
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl DeniedAgentSites dstdomain .google.com .yahoo.com .hotmail.com
> .theage.com.au .msn.com
> acl all src 172.16.56.0-172.16.56.254/255.255.255.255
> 192.168.0.0-192.168.0.254/255.255.255.255
> acl DeniedAgentIPs dst 65.54.239.0-65.54.239.0/255.255.255.0
> acl AllowedAgentSites dstdomain .dactive.com.au .eway.com .eway.com.au
> .powerdirect.com .powerdirect.com.au .verisign.com .verisign.com.au
> acl AgentWebsites dst 172.16.56.0-192.168.0.0/255.255.255.0
>
> And the proxy restrictions are as follows:
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow AllowedAgentSites
> http_access deny !AllowedAgentSites
> http_access allow localhost
>
> Why does this setup deny not AllowedAgentSites (as you would hope it
> would work) but not let through the AllowedAgentSites? It ends up
> switching to the autosearch thing which just gets blocked cos it's not
> part of the Allowed list. I basically want anything in the
> AllowedAgentSites acl to be let through the proxy and any other site to
> be denied.
>
> Cheers in advance.
>
> Bj
>

Thanks MT.

I did have my proxy restrictions messed up but also the default route
on the box had been changed *grrr* (not by me) so it all works great
now.