Re: [squid-users] Another ACL Question from Henrik Nordstrom on 2002-04-05 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 5 Apr 2002 20:01:57 +0200

Simon White wrote:

> You need something like:
>
> acl putters method PUT
> acl getters method GET
> acl ftpers proto FTP
> acl thosewhocanftp src 192.168.0.0/255.255.255.0
> acl hewhocanput src 192.168.0.2/255.255.255.255
> acl shewhocanget src 192.168.0.3/255.255.255.255
>
> http_access allow ftpers thosewhocanftp !hewhocanput !shewhocanget
> http_access allow ftpers hewhocanput putters
> http_access allow ftpers shewhocanget getters
> http_access deny ftpers any

For simplicity and readability I tend to use the same acl names as what they
match when matching individual protocols or methods.

acl PUT method PUT
acl GET method GET
acl FTP proto FTP
acl my_network src 192.168.0.0/24
acl ftp_put_only src 192.168.0.2
acl ftp_get_only src 192.168.0.3

The http_access rules can also be written in a varity of different ways
depending on which kind logic one prefers, and what other access these users
should have. The logics of http_access can be described as

  http_access <action> <acl> AND <acl> AND <acl>...
      OR
  http_access <action> <acl> AND <acl> AND <acl> ...
      OR
  http_access <action> <acl> AND <acl> AND <acl> ...
      OR
  http_access <action> <acl> AND <acl> AND <acl> ...

Using shortcut logics. The first http_access line where all the acl elements
are true will determine the action taken on the request.

This means that

http_access allow ftp_put_only FTP PUT
http_access deny ftp_put_only

will allow the user listed as ftp_put_only to use FTP to PUT files, but deny
him any other uses of the proxy. (rather stupid rule.. the user will not be
able to retreive FTP directory listings, surf the web or any other actions...)

It also allows for more interesting constructs like

acl allowed_to_put src 192.168.0.4
http_access deny FTP PUT !allowed_to_put

[before your first "http_access allow" rule]

This will deny FTP PUT to all users except those listed in allowed_to_put.

And so on.

Regards
Henrik Nordström
MARA Systems AB, Sweden
Received on Fri Apr 05 2002 - 11:02:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:23 MST