Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Squid Cache ACL - allow and deny group of users - a set of sites

Posted on 2008-06-21
2
Medium Priority
?
1,673 Views
Last Modified: 2010-05-18
i am trying to get a squid.conf working.

There are 4 sets of users who should be allowed or denied sites based on rules.

The squid.conf looks like this:
---squid.conf--------------------------------------------------------
#external_acl_type ip_user  %SRC
#/usr/libexec/squid/ip_user_check -f /usr/local/etc/ip_user.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.6-192.168.1.7/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl MktgIPs src 192.168.1.25-192.168.1.26/24
acl SrManagersIPs src 192.168.1.29-192.168.1.34/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
# deny Sr Managers SrManagersBanned Sites access
http_access deny SrManagersIPs SrManagersBanned
# deny everybody Banned Sites access
http_access deny porn
http_access allow MISIPs SrManagersBanned
http_access allow MISIPs all
http_access allow MktgIPs MktgAllow
http_access allow OperationsIPs OperationsAllow
http_access deny MISIPs all
http_access deny MktgIPs all
http_access deny OperationsIPs all
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com SrManagersBanned
---squid.conf--------------------------------------------------------

MISIPs should get access to all sites except BannedForAll [porn]

Please help.
0
Comment
Question by:agnesfernandes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Accepted Solution

by:
dextermain earned 2000 total points
ID: 21842239
Hi

ACL's work from top to bottom

If a rule in the top is hit it will not go on to the next.

http_access deny porn
http_access allow MISIPs all
htcp_access deny all

These 2 are the same if you use the all (line 2) you can remove line 1
http_access allow MISIPs SrManagersBanned (line 1)
http_access allow MISIPs all (line 2)

From above if it is a porn site it will say access denied. Everything else it will accept.

What is the content of acl porn url_regex "/usr/local/etc/BannedSitesForAll"

You can try

acl porn dstdom_regex -i "/usr/local/etc/BannedSitesForAll"
instead of
acl porn url_regex "/usr/local/etc/BannedSitesForAll"

Please let me know what the outcome is.
0
 

Author Comment

by:agnesfernandes
ID: 21855012
Hi,

Thanks for the tip.

ACL's work from top to bottom
If a rule in the top is hit it will not go on to the next.

Reconfigured ACLs like this.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.210/24
acl AccountsIPs src 192.168.1.2/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl SrManagersIPs src 192.168.1.25/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
acl AccountsAllow url_regex "/usr/local/etc/AllowedSitesForAccounts"
http_access allow OperationsIPs OperationsAllow
http_access allow AccountsIPs AccountsAllow
http_access allow SrManagersIPs !SrManagersBanned !porn
http_access allow MISIPs !porn
http_access deny porn
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com all
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question