Solved

Squid Cache ACL - allow and deny group of users - a set of sites

Posted on 2008-06-21
2
1,583 Views
Last Modified: 2010-05-18
i am trying to get a squid.conf working.

There are 4 sets of users who should be allowed or denied sites based on rules.

The squid.conf looks like this:
---squid.conf--------------------------------------------------------
#external_acl_type ip_user  %SRC
#/usr/libexec/squid/ip_user_check -f /usr/local/etc/ip_user.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.6-192.168.1.7/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl MktgIPs src 192.168.1.25-192.168.1.26/24
acl SrManagersIPs src 192.168.1.29-192.168.1.34/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
# deny Sr Managers SrManagersBanned Sites access
http_access deny SrManagersIPs SrManagersBanned
# deny everybody Banned Sites access
http_access deny porn
http_access allow MISIPs SrManagersBanned
http_access allow MISIPs all
http_access allow MktgIPs MktgAllow
http_access allow OperationsIPs OperationsAllow
http_access deny MISIPs all
http_access deny MktgIPs all
http_access deny OperationsIPs all
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com SrManagersBanned
---squid.conf--------------------------------------------------------

MISIPs should get access to all sites except BannedForAll [porn]

Please help.
0
Comment
Question by:agnesfernandes
2 Comments
 
LVL 3

Accepted Solution

by:
dextermain earned 500 total points
ID: 21842239
Hi

ACL's work from top to bottom

If a rule in the top is hit it will not go on to the next.

http_access deny porn
http_access allow MISIPs all
htcp_access deny all

These 2 are the same if you use the all (line 2) you can remove line 1
http_access allow MISIPs SrManagersBanned (line 1)
http_access allow MISIPs all (line 2)

From above if it is a porn site it will say access denied. Everything else it will accept.

What is the content of acl porn url_regex "/usr/local/etc/BannedSitesForAll"

You can try

acl porn dstdom_regex -i "/usr/local/etc/BannedSitesForAll"
instead of
acl porn url_regex "/usr/local/etc/BannedSitesForAll"

Please let me know what the outcome is.
0
 

Author Comment

by:agnesfernandes
ID: 21855012
Hi,

Thanks for the tip.

ACL's work from top to bottom
If a rule in the top is hit it will not go on to the next.

Reconfigured ACLs like this.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.210/24
acl AccountsIPs src 192.168.1.2/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl SrManagersIPs src 192.168.1.25/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
acl AccountsAllow url_regex "/usr/local/etc/AllowedSitesForAccounts"
http_access allow OperationsIPs OperationsAllow
http_access allow AccountsIPs AccountsAllow
http_access allow SrManagersIPs !SrManagersBanned !porn
http_access allow MISIPs !porn
http_access deny porn
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com all
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now