Solved

Squid Cache ACL - allow and deny group of users - a set of sites

Posted on 2008-06-21
2
1,571 Views
Last Modified: 2010-05-18
i am trying to get a squid.conf working.

There are 4 sets of users who should be allowed or denied sites based on rules.

The squid.conf looks like this:
---squid.conf--------------------------------------------------------
#external_acl_type ip_user  %SRC
#/usr/libexec/squid/ip_user_check -f /usr/local/etc/ip_user.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.6-192.168.1.7/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl MktgIPs src 192.168.1.25-192.168.1.26/24
acl SrManagersIPs src 192.168.1.29-192.168.1.34/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
# deny Sr Managers SrManagersBanned Sites access
http_access deny SrManagersIPs SrManagersBanned
# deny everybody Banned Sites access
http_access deny porn
http_access allow MISIPs SrManagersBanned
http_access allow MISIPs all
http_access allow MktgIPs MktgAllow
http_access allow OperationsIPs OperationsAllow
http_access deny MISIPs all
http_access deny MktgIPs all
http_access deny OperationsIPs all
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com SrManagersBanned
---squid.conf--------------------------------------------------------

MISIPs should get access to all sites except BannedForAll [porn]

Please help.
0
Comment
Question by:agnesfernandes
2 Comments
 
LVL 3

Accepted Solution

by:
dextermain earned 500 total points
ID: 21842239
Hi

ACL's work from top to bottom

If a rule in the top is hit it will not go on to the next.

http_access deny porn
http_access allow MISIPs all
htcp_access deny all

These 2 are the same if you use the all (line 2) you can remove line 1
http_access allow MISIPs SrManagersBanned (line 1)
http_access allow MISIPs all (line 2)

From above if it is a porn site it will say access denied. Everything else it will accept.

What is the content of acl porn url_regex "/usr/local/etc/BannedSitesForAll"

You can try

acl porn dstdom_regex -i "/usr/local/etc/BannedSitesForAll"
instead of
acl porn url_regex "/usr/local/etc/BannedSitesForAll"

Please let me know what the outcome is.
0
 

Author Comment

by:agnesfernandes
ID: 21855012
Hi,

Thanks for the tip.

ACL's work from top to bottom
If a rule in the top is hit it will not go on to the next.

Reconfigured ACLs like this.

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.210/24
acl AccountsIPs src 192.168.1.2/24
acl MISIPs src 192.168.1.21-192.168.1.24/24
acl SrManagersIPs src 192.168.1.25/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSitesForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagersBanned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSitesForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSitesForOperations"
acl AccountsAllow url_regex "/usr/local/etc/AllowedSitesForAccounts"
http_access allow OperationsIPs OperationsAllow
http_access allow AccountsIPs AccountsAllow
http_access allow SrManagersIPs !SrManagersBanned !porn
http_access allow MISIPs !porn
http_access deny porn
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access.log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp:            1440      20%      10080
refresh_pattern ^gopher:      1440      0%      1440
refresh_pattern (cgi-bin|\?)      0      0%      0
refresh_pattern .            0      20%      4320
cache_effective_user squid
visible_hostname      squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com all
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now