Re: ACLs and Stuff...

Can't help with a lot of this but some areas I have a similar setup

>
>
> 2. This squid is meant to server around 10-20 users in our company's LAN
> (no more than 3-4 at a time tho) but not all clients are equal... so I
> thought I'll apply a simple rule...
>
> 2.1 Giving "super-users" true IP from the inside-of-firewall subnet
> (195.99.19.20 255.255.255.224 for example), and "normal-users" a fake IP
> like 192.168.1.20 255.255.255.0... (does this need IP Masquerading too? We
> only set a second "gateway address" to 192.168.1.1 on the interface)
>
> 2.2 "Super users" should get all URLs unrestricted... and "Normal
> users" should get all URLs except those matching some strings I'll
> type in... like sex playboy etc... (I think it's a lot easier to
> prevent access to these sites by keyword than to predict all
> domains... :)) ).

I have a number of groups setup in my acl rules eg

acl masters src xxx.xxx.xxx.51 xxx.xxx.xxx.52 (real IP's removed!)

then I have :

http_access allow masters

at the top of the http rules themselves so that these two IP's (mine and the
technicians have unrestrictde access). You could intersperse these group
allow statements at appropriate points in your list of rules.

 
> 2.3 A possible "extension" of the 2.2 rule... would be if "normal
> users" could get all sites unrestricted but only after 17:00 or so... but
> that's entirely optional... if it messes things up too much... I'll better
> leave it.

You can also use time based acl's eg

acl Lunch time MTWHF 12:30-13:30

then in the list of http rules (I seem to have deleted this requirement from my
list but it goes something like this)

http_access allow ILC Lunch time webmail
http_access deny ILC webmail webmail2 WebmailIP

so allow access at lunchtime but deny it at other times.

>
HTH

--
Simon Bryan                    sbryan@olmc.nsw.edu.au
Information Technology Manager sbryan@mpx.com.au
OLMC Parramatta