ACL on Squid Proxy server

pawanopensource
pawanopensource used Ask the Experts™
on
I configured squid proxy server
1:-Could any one tell me how to configure acl on group containig few IP for example
I made policy to block socialnetworking site on Segment 172.X.X.X .I need to open face book for few Ips or only one IP How i will do it

2:-Is it possible to limit email attachment size using squid if yes oplease let me know how to do it
Thanks
 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Enable an acces list edit /etc/squid/squid.conf
add the following lines (substitute IP where necessary)
acl SOME_ACL src 192.168.1.0/24
acl FACEBOOK_ACL src 192.168.1.1 192.168.1.2
http_access allow SOME_ACL
http_access allow FACEBOOK_ACL
header_access <facebook_ip> deny SOME_ACL
header_access <facebook_ip> deny FACEBOOK_ACL

If you will use some GUI like Webmin www.webmin.com configuring Squid might become easier for you.

Commented:
I dont think squid itself can limit mail attachments. You will usually do that on mail server.
Monis MontherSystem Architect
Commented:
Try to keep things easy as possible

Edit /etc/squid/squid.conf

acl aclname1 src 172.x.x.1
acl aclname2 src 172.x.x.x/mask
acl aclname3 dstdomain *.facebook.com

http_access allow aclname1
http_access deny aclname2 aclname3


Explaining the above

The first acl will define the IP you want to override
The second acl will define the network you want to deny access although the first acl has an IP within its range
The third acl is the domain facebook.com

Up to this point nothing will act so we need to apply http_acess rules

Understanding http_access logic

1- exit at first match

http_access rules acts like firewall rules they exit the chain at first match, therefore putting the acl matching the IP you want to override first will let it bypass any deny after that .

2- AND logic

when applying http_access with multiple acls they act as AND logic meaning that both some IP in the network and trying to access facebook will match and will be denied


Its important where you put the http_access (order is important)

Check this link as a reference

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid



Hope this helps
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Monis MontherSystem Architect

Commented:
Regarding your second question

I dont think you can limit attachment size with squid

You either do it from your SMTP or your WebMail program(most Web Mail is written in php and you can control it from php.ini  max_upload_size parameter or something like that

What are you using as SMTP and Web Mail?
Check this link

http://www.squid-cache.org/Versions/v3/3.1/cfgman/acl.html

by outro side, there are some web interfaces that can help you to configure
ACL in squid:

Webmin - http://www.webmin.com/

Artica - www.artica.fr

I use the last in my company, with this program is very easy to configure the squid, Dansguardian and ClamAV. with this program, is very easy configure ACL per network segment.
Gabriel OrozcoSolution Architect
Commented:
I will try to answer your questions
1. You can easyly add file names instead of a single ip in the ACL. this leads you to have some files where you dinamically add or delete ip addresses without changing the squid.conf file, which is safer.

here an example of what you want:
-------------------------------------------
# add the acl's
acl facebook_allowed src "/etc/squid/facebook_allowed_ips.txt"
acl facebook_domain url_regexp .facebook.com
acl socialnetworking url_regexp "/etc/squid/social_networking_sites.txt"
acl network172 src 172.0.0.0/8

# access
http_access allow facebook_allowed facebook_domain
http_access deny network172 socialnetworking
http_access deny all
-------------------------------------------
This is only an example. you can allow when several ACL are true at the same time, like some source ip addresses and the facebook site, turn on the match and then are allowed.
the second line in the access section is also an example.

For the second question you need to specify if this is a webmail or it is smtp, etc. because the approach could be very different (limit size on squid, or iptables rules on the former)

hth

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial