Squid acl .hotmail.com?????

[DWPTA]

Ok so the company has installed stringer internet access.

Squid is running 100%, but for some strange reason hotmail is blocked with msn messenger.

These are the acl currently in place:

acl banned_sites dstdomain "/etc/squid/banned_sites"
acl streaming url_regex -i .mpeg$ .mpg$ .avi$ .wmv$ .mp3$ .rm$ .asf$ .torrent$
acl users_with_internet src "/etc/squid/users_with_internet"
acl allowed_users src "/etc/squid/allowed_users"
acl banned_sites2 dstdomain "/etc/squid/banned_sites2"
acl internet_access dstdomain "/etc/squid/internet_access"
http_access deny banned_sites
http_access deny banned_sites2
http_access deny streaming
http_access allow SSL_ports users_with_internet
http_access allow allowed_users
http_access allow users_with_internet internet_access

internet_access is the allowed sites for normal users to access and users_with_internet is the IP address

allowed_users is the exec and a few users allowed full internet access.

Now .hotmail.com is in the list of internet_access but it gets blocked to users_with_internet.

If I add an acl:

acl MSN_domains dstdomain .hotmail.com

and apply the following rule:

http_access allow MSN_domains

it gets blocked, but if I deny it then it goes through,

but

what then happens is that it opens the whole internet and the rule of

http_access allow users_with_internet internet_access

gets thrown out the window, even if

http_access allow MSN_domains

is at the bottom of proxy restriction list.

Hope it makes sense, but am I missing something....

 

[suPerb0b]

Try putting your deny rules after the allow rules. IIRC, squid needs them in the right order.

 

[DWPTA]

Ah ok so deny first then allow rules, will try thanx.

 

[DWPTA]

Ok played around with where the acl should be and got it right, this should be the last two lines of the proxy restrictions

http_access allow MSN_domains
http_access allow users_with_internet internet_access

Now hotmail is allowed with internet_access and evereything else is blocked.