?
Solved

Squid Cache ACL - allow and deny group of users - a set of sites

Posted on 2008-06-21
2
Medium Priority
?
1,631 Views
Last Modified: 2010-05-18
i am trying to get a squid.conf working.

There are 4 sets of users who should be allowed or denied sites based on rules.

The squid.conf looks like this:
---squid.conf--------------------------------------------------------
#external_acl_type ip_user  %SRC
#/usr/libexec/squid/ip_user_check -f /usr/local/etc/ip_user.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.6-192.168.1.7/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl MktgIPs src 192.168.1.25-192.168.1.26/24
acl SrManagersIPs src 192.168.1.29-192.168.1.34/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
# deny Sr Managers SrManagersBanned Sites access
http_access deny SrManagersIPs SrManagersBanned
# deny everybody Banned Sites access
http_access deny porn
http_access allow MISIPs SrManagersBanned
http_access allow MISIPs all
http_access allow MktgIPs MktgAllow
http_access allow OperationsIPs OperationsAllow
http_access deny MISIPs all
http_access deny MktgIPs all
http_access deny OperationsIPs all
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com SrManagersBanned
---squid.conf--------------------------------------------------------

MISIPs should get access to all sites except BannedForAll [porn]

Please help.
0
Comment
Question by:agnesfernandes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Accepted Solution

by:
dextermain earned 2000 total points
ID: 21842239
Hi

ACL's work from top to bottom

If a rule in the top is hit it will not go on to the next.

http_access deny porn
http_access allow MISIPs all
htcp_access deny all

These 2 are the same if you use the all (line 2) you can remove line 1
http_access allow MISIPs SrManagersBanned (line 1)
http_access allow MISIPs all (line 2)

From above if it is a porn site it will say access denied. Everything else it will accept.

What is the content of acl porn url_regex "/usr/local/etc/BannedSitesForAll"

You can try

acl porn dstdom_regex -i "/usr/local/etc/BannedSitesForAll"
instead of
acl porn url_regex "/usr/local/etc/BannedSitesForAll"

Please let me know what the outcome is.
0
 

Author Comment

by:agnesfernandes
ID: 21855012
Hi,

Thanks for the tip.

ACL's work from top to bottom
If a rule in the top is hit it will not go on to the next.

Reconfigured ACLs like this.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.210/24
acl AccountsIPs src 192.168.1.2/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl SrManagersIPs src 192.168.1.25/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
acl AccountsAllow url_regex "/usr/local/etc/AllowedSitesForAccounts"
http_access allow OperationsIPs OperationsAllow
http_access allow AccountsIPs AccountsAllow
http_access allow SrManagersIPs !SrManagersBanned !porn
http_access allow MISIPs !porn
http_access deny porn
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com all
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question