Solved

Squid Cache ACL - allow and deny group of users - a set of sites

Posted on 2008-06-21
2
1,599 Views
Last Modified: 2010-05-18
i am trying to get a squid.conf working.

There are 4 sets of users who should be allowed or denied sites based on rules.

The squid.conf looks like this:
---squid.conf--------------------------------------------------------
#external_acl_type ip_user  %SRC
#/usr/libexec/squid/ip_user_check -f /usr/local/etc/ip_user.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.6-192.168.1.7/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl MktgIPs src 192.168.1.25-192.168.1.26/24
acl SrManagersIPs src 192.168.1.29-192.168.1.34/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
# deny Sr Managers SrManagersBanned Sites access
http_access deny SrManagersIPs SrManagersBanned
# deny everybody Banned Sites access
http_access deny porn
http_access allow MISIPs SrManagersBanned
http_access allow MISIPs all
http_access allow MktgIPs MktgAllow
http_access allow OperationsIPs OperationsAllow
http_access deny MISIPs all
http_access deny MktgIPs all
http_access deny OperationsIPs all
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com SrManagersBanned
---squid.conf--------------------------------------------------------

MISIPs should get access to all sites except BannedForAll [porn]

Please help.
0
Comment
Question by:agnesfernandes
2 Comments
 
LVL 3

Accepted Solution

by:
dextermain earned 500 total points
ID: 21842239
Hi

ACL's work from top to bottom

If a rule in the top is hit it will not go on to the next.

http_access deny porn
http_access allow MISIPs all
htcp_access deny all

These 2 are the same if you use the all (line 2) you can remove line 1
http_access allow MISIPs SrManagersBanned (line 1)
http_access allow MISIPs all (line 2)

From above if it is a porn site it will say access denied. Everything else it will accept.

What is the content of acl porn url_regex "/usr/local/etc/BannedSitesForAll"

You can try

acl porn dstdom_regex -i "/usr/local/etc/BannedSitesForAll"
instead of
acl porn url_regex "/usr/local/etc/BannedSitesForAll"

Please let me know what the outcome is.
0
 

Author Comment

by:agnesfernandes
ID: 21855012
Hi,

Thanks for the tip.

ACL's work from top to bottom
If a rule in the top is hit it will not go on to the next.

Reconfigured ACLs like this.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.210/24
acl AccountsIPs src 192.168.1.2/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl SrManagersIPs src 192.168.1.25/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
acl AccountsAllow url_regex "/usr/local/etc/AllowedSitesForAccounts"
http_access allow OperationsIPs OperationsAllow
http_access allow AccountsIPs AccountsAllow
http_access allow SrManagersIPs !SrManagersBanned !porn
http_access allow MISIPs !porn
http_access deny porn
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com all
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question