# Squid - http_access deny all not working

## Ravilj

I have a curious problem with squid. At my old high school they have to machines.

Machine A - Mail, file, et al server. It has squid running but deny's all access except to those fortunate people (IP's). Running red hat (dont ask not my baby). 192.168.1.3:3128

Machine B - Proxy server. It has squid (192.168.1.4:port 3128) and dansguardian running (192.168.1.4:8080). Does the authentication through Machine A. Running Gentoo o///

Up until the other day you could not gain access to squid from port 3128 except for local host. All the comps are setup to use 8080. Now I did some testing with squid. If I formally declare:

ACL pc src 192.168.1.132

http_access deny pc

That pc is denied access through 3128 yet the others are still allowed through even though:

ACL localhost 127.0.0.1/255.255.255.255

http_access deny !localhost

ACL all src 0.0.0.0/0.0.0.0

http_access deny all

Now this was working up until the other day  :Sad:  The same problem is being experienced on Machine A where people (IP's) that would and should fall under the deny all rule are not being blocked.

Can anyone speculate as to what may be causing this? I dont know if the [roblems are related but I suspect so.

----------

## Ravilj

Anyone?

----------

## mrness

the output of "grep http_access /etc/squid/squid.conf", please

----------

## Ravilj

grep acl /etc/squid/squid.conf result:

 *Quote:*   

> acl internet proxy_auth REQUIRED
> 
> acl all src 0.0.0.0/0.0.0.0
> 
> acl manager proto cache_object
> ...

 

grep http_access /etc/squid/squid.conf result:

 *Quote:*   

> http_access allow manager localhost
> 
> http_access deny manager
> 
> http_access allow purge localhost
> ...

 

----------

## mrness

comment the "http_access allow internet" line and see if you still have access to the proxy.

----------

## Ravilj

Ok cool, will do so tomorrow when I have access to the machine.

----------

## Ravilj

Hey mrness. There is no access at all through squid on port 3128 and dansguardian on 8080. So it would be safe to assume that the problem lies on the red hate machine where squid authenticates from?

----------

## mrness

access will be granted to authenticated users by "http_access allow internet" line, no matter what you put *after*.

if you want it to reject access based on IP address, you must add those lines *before* allow internet.

----------

## Ravilj

The http_access allow internet is is used to do the proxy authentication of users. Squid should be blocked off to all requests coming in on port 3128 not from the localhost (dansguardian). All request should go through dans on port 8080 which is open to the network.

----------

## mrness

...

http_access deny !localhost 

http_access allow internet

http_access deny all

----------

## Ravilj

Okay so I had the wrong order, I was allowing internet first than denying !localhost. 

I changed got it working actually using:

 *Quote:*   

> http_access allow internet localhost
> 
> http_access deny internet 
> 
> http_access deny all

 

Thanks for the help mrness.

----------

