RE: [squid-users] Two Instances of Squid

Let me layout my acls.

        1. We use authentication for everything but a few sites. As I'm sure most squid-users have encountered, there are a number of sites (mainly software update programs) that don't play well with authentication so I have created a noauth acl which allow any user on the internal source to browse to without authentication.

        2. We do completely ban some sites (mainly pornographic).

        3. My internal source is 192.168.0.0/16

SO... Here's all my acls:

        proxy1 = firewall (192.168.1.13)
        proxy2 = private vpn network (192.168.1.4)

        cache_peer proxy2 parent 3128 0 proxy-only allow-miss no-query

        acl all src 0.0.0.0/0.0.0.0
        acl internal_src src 192.168.0.0/255.255.0.0 # Internal Network
        acl int_domain srcdomain mydomain.int # Internal Domain
        acl int_short url_regex ^http://[^\.]*/
        acl carenet_dsta srcdomain nsh.dcnhs.org # VPN Network Domain
        acl carenet_dstb dst 100.0.0.0/8 # VPN Ip Network
        no_cache deny carenet_dsta # Don't cache anything from the VPN
        no_cache deny carenet_dstb # Don't cache anything from the VPN
        acl careauth proxy_auth "carenet_users" # User list for the accessing the VPN Site
        acl onesourceauth proxy_auth "onesrc_users" # Restrict Some users to specific Internet Sites
        acl onesource_dst dstdom_regex "onesrc_dst" # List of sites for these Restricted Users
        acl noauth_sites dstdom_regex "noauth_sites" # Sites which are accessible to Everyone with no Auth
        acl banned_sites dstdom_regex "banned_sites" # Sited restricted to everyone!!
        acl allowedusers proxy_auth REQUIRED # Authenticate Everyone

        http_access deny banned_sites
        http_access allow noauth_sites
        http_access deny onesourceauth !onesource_dst
        http_access deny carenet_dsta carenet_dstb !careauth
        never_direct allow carenet_dsta
        never_direct allow carenet_dstb
        http_access allow internal_src allowedusers !onesourceauth
        http_access deny all

        cache_peer_access proxy2 allow all

My thought process for the http_allow:

        A. Deny internal_src or all access to the banned sites
        B. Allow everyone access to the noauth sites (some are internal like our intranet)
        C. If the authenticated user in listed in the onesourceauth, allow then access to just oncesource_dst only!
        B. If the authenticated uses in listed in the careauth, allow access to carenet* and anywhere else.
        D. Allow all remaining authenticated users.
        

I am not the best with acl rules so any suggestions would be appreciated!

Vernon Fort

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@marasystems.com]
Sent: Sunday, March 31, 2002 9:59 AM
To: Vernon A. Fort
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Two Instances of Squid

"Vernon A. Fort" wrote:

> The only question I still have is how to write a regex expression that will match either a domain name or ipaddress/mask in one file. This is the reason for the dsta and dstb acl lines. If anyone wants my conf files, I will send via private email.

Don't. Use the dstdomain and dst ACL types, prefering "dstdomain" as
first http_access rule.

And I think you made the same error on source vs destination in the
posted ruleset.. (you were using srcdomain, where I think you meant to
use dstdomain).

Regards
Henrik
Received on Mon Apr 01 2002 - 07:05:57 MST