agnesfernandes
asked on
Squid Cache ACL - allow and deny group of users - a set of sites
i am trying to get a squid.conf working.
There are 4 sets of users who should be allowed or denied sites based on rules.
The squid.conf looks like this:
---squid.conf------------- ---------- ---------- ---------- ---------- ---
#external_acl_type ip_user %SRC
#/usr/libexec/squid/ip_use r_check -f /usr/local/etc/ip_user.con f
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.6-192.168.1.7/24
acl MISIPs src 192.168.1.21-192.168.1.24/ 24
acl MktgIPs src 192.168.1.25-192.168.1.26/ 24
acl SrManagersIPs src 192.168.1.29-192.168.1.34/ 24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSite sForAll"
acl SrManagersBanned url_regex "/usr/local/etc/SrManagers Banned"
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSit esForMktg"
acl OperationsAllow url_regex "/usr/local/etc/AllowedSit esForOpera tions"
# deny Sr Managers SrManagersBanned Sites access
http_access deny SrManagersIPs SrManagersBanned
# deny everybody Banned Sites access
http_access deny porn
http_access allow MISIPs SrManagersBanned
http_access allow MISIPs all
http_access allow MktgIPs MktgAllow
http_access allow OperationsIPs OperationsAllow
http_access deny MISIPs all
http_access deny MktgIPs all
http_access deny OperationsIPs all
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access .log squid
debug_options ALL,1 33,2
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
visible_hostname squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com SrManagersBanned
---squid.conf------------- ---------- ---------- ---------- ---------- ---
MISIPs should get access to all sites except BannedForAll [porn]
Please help.
There are 4 sets of users who should be allowed or denied sites based on rules.
The squid.conf looks like this:
---squid.conf-------------
#external_acl_type ip_user %SRC
#/usr/libexec/squid/ip_use
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.6-192.168.1.7/24
acl MISIPs src 192.168.1.21-192.168.1.24/
acl MktgIPs src 192.168.1.25-192.168.1.26/
acl SrManagersIPs src 192.168.1.29-192.168.1.34/
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSite
acl SrManagersBanned url_regex "/usr/local/etc/SrManagers
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSit
acl OperationsAllow url_regex "/usr/local/etc/AllowedSit
# deny Sr Managers SrManagersBanned Sites access
http_access deny SrManagersIPs SrManagersBanned
# deny everybody Banned Sites access
http_access deny porn
http_access allow MISIPs SrManagersBanned
http_access allow MISIPs all
http_access allow MktgIPs MktgAllow
http_access allow OperationsIPs OperationsAllow
http_access deny MISIPs all
http_access deny MktgIPs all
http_access deny OperationsIPs all
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access
debug_options ALL,1 33,2
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
visible_hostname squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com SrManagersBanned
---squid.conf-------------
MISIPs should get access to all sites except BannedForAll [porn]
Please help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the tip.
ACL's work from top to bottom
If a rule in the top is hit it will not go on to the next.
Reconfigured ACLs like this.
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl OperationsIPs src 192.168.1.210/24
acl AccountsIPs src 192.168.1.2/24
acl MISIPs src 192.168.1.21-192.168.1.24/
acl SrManagersIPs src 192.168.1.25/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#define Banned Sites for all
acl porn url_regex "/usr/local/etc/BannedSite
acl SrManagersBanned url_regex "/usr/local/etc/SrManagers
#define sites allowed for a group of users
acl MktgAllow url_regex "/usr/local/etc/AllowedSit
acl OperationsAllow url_regex "/usr/local/etc/AllowedSit
acl AccountsAllow url_regex "/usr/local/etc/AllowedSit
http_access allow OperationsIPs OperationsAllow
http_access allow AccountsIPs AccountsAllow
http_access allow SrManagersIPs !SrManagersBanned !porn
http_access allow MISIPs !porn
http_access deny porn
http_access deny all
http_access allow manager localhost
http_access deny manager
# allow users belonging to Specific Group AND allowed Specific Access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/var/logs/access
debug_options ALL,1 33,2
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
visible_hostname squidserver
icp_port 3130
coredump_dir /usr/local/var/cache
# where to redirect if denied
deny_info http://www.mycompany.com porn
deny_info http://www.mycompany.com all