Squid - http_access deny all not working

Ravilj

I have a curious problem with squid. At my old high school they have to machines.
Machine A - Mail, file, et al server. It has squid running but deny's all access except to those fortunate people (IP's). Running red hat (dont ask not my baby). 192.168.1.3:3128

Machine B - Proxy server. It has squid (192.168.1.4:port 3128) and dansguardian running (192.168.1.4:8080). Does the authentication through Machine A. Running Gentoo o///

Up until the other day you could not gain access to squid from port 3128 except for local host. All the comps are setup to use 8080. Now I did some testing with squid. If I formally declare:
ACL pc src 192.168.1.132
http_access deny pc

That pc is denied access through 3128 yet the others are still allowed through even though:
ACL localhost 127.0.0.1/255.255.255.255
http_access deny !localhost

ACL all src 0.0.0.0/0.0.0.0
http_access deny all

Now this was working up until the other day

The same problem is being experienced on Machine A where people (IP's) that would and should fall under the deny all rule are not being blocked.

Can anyone speculate as to what may be causing this? I dont know if the [roblems are related but I suspect so.

Ravilj · Posted: Sat Sep 10, 2005 5:22 pm Post subject:

Anyone?

mrness · Posted: Sat Sep 10, 2005 9:18 pm Post subject:

the output of "grep http_access /etc/squid/squid.conf", please

Ravilj · Posted: Sun Sep 11, 2005 11:23 am Post subject:

grep acl /etc/squid/squid.conf result:

mrness · Posted: Sun Sep 11, 2005 11:49 am Post subject:

comment the "http_access allow internet" line and see if you still have access to the proxy.

Ravilj · Posted: Sun Sep 11, 2005 6:51 pm Post subject:

Ok cool, will do so tomorrow when I have access to the machine.

Ravilj · Posted: Mon Sep 12, 2005 7:34 am Post subject:

Hey mrness. There is no access at all through squid on port 3128 and dansguardian on 8080. So it would be safe to assume that the problem lies on the red hate machine where squid authenticates from?

mrness · Posted: Mon Sep 12, 2005 8:07 am Post subject:

access will be granted to authenticated users by "http_access allow internet" line, no matter what you put *after*.
if you want it to reject access based on IP address, you must add those lines *before* allow internet.

Ravilj · Posted: Mon Sep 12, 2005 3:05 pm Post subject:

The http_access allow internet is is used to do the proxy authentication of users. Squid should be blocked off to all requests coming in on port 3128 not from the localhost (dansguardian). All request should go through dans on port 8080 which is open to the network.

mrness · Posted: Mon Sep 12, 2005 3:14 pm Post subject:

...
http_access deny !localhost
http_access allow internet
http_access deny all

Ravilj · Posted: Mon Sep 12, 2005 4:20 pm Post subject:

Okay so I had the wrong order, I was allowing internet first than denying !localhost.

I changed got it working actually using: