AW: [squid-users] FAQ/Most common ACL's

A great idea!
You could search the archive of the squid mailing list. Here you will find a
lot of qestions from users - and of course a lot of excellent answers from
Henrik.

Here are some examples:

I want that certain users could acces certain sites.
I also want that some users access all sites.

acl all src ...................
acl full src ...................
acl user1 src ..................
acl site1 dstdomain .squid-cache.org

http_access allow user1 site1
http_access allow all !user1
http_access deny all

I'm need define some groups for users, permited or deny access to some sites
with acls based on group properties, using a proxy_auth directive ncsa_auth
(or similar).....

Example:

In group personal responsible for car´s in my company restrict access the
sites: www.yahoo.com, www.altavista.com....etc and group personal
responsible for financial restrict access the sites: www.financial.com.br,
www.test.com, www.fapesp.br....etc

acl car proxy_auth "/path/to/file/with/car/personell"
acl car_sites dstdomain "/path/to/file/with/car/sites"

acl financial proxy_auth "/path/to/file/with/financial/personell"
acl financial_sites dstdomain "/path/to/file/with/financial/sites"

http_access allow car car_sites
http_access allow financial financial_sites

http_access deny car
http_access deny financial

I dont want particular users access urls ending with .zip, .exe, mpg etc.
i.e I dont want a particular users (e.g 192.168.1.10 to 192.168.1.20) to
download those files yet I want to be able to go to other sites.

acl local_users src 192.168.1.0/255.255.255.0

acl restricted_files urlpath_regex \.zip$ \.exe$ \.mpg$
acl restricted_users src 192.168.1.10-192.168.1.20/255.255.255.255

http_access deny restricted_users restricted_files
http_access allow local_users

I am trying to setup acl's for squid so that before 8:00 and after 16:00 and
at 13:00 to 13:30 can surf anywhere. But from 8:00 -> 16:00 excluding 13:00
to 13:30 they cannot go to bigbrothersa.com.

acl all src 0.0.0.0/0.0.0.0
acl bbsadom dstdomain_regex -i .*bigbrothersa\.com
acl nobbsa time SMTWTFA 08:00-13:00
acl nobbsa time SMTWTFA 13:30-16:00

http_access deny bbsadom nobbsa
http_access allow all

I have a so could "writers block" (squid acl) (I hope I am clear... sorry
for the bad descreption)

I want my intranet users to be free to access the acl unblockedsites, (this
works)
but the "internet users" need to authenticate. (This is the tricky bit)

The internet users may ONLY access the "unblockedsites" with authentication,
and the rproxy list WITHOUT authentication.

# Allow everybody to access the domains in rproxy.txt
acl rproxy dstdomain "/etc/squid/rproxy.txt"
http_access allow rproxy

# Some ACL groups for users and destinations
acl intra-networks src 192.168.0.0/16 150.50.0.0/16 10.30.0.0/16
10.50.0.0/16 194.134.69.64/26 172.16.4.32/28 acl unblockedsites url_regex
"/etc/squid/unblock.txt" acl secure_id proxy_auth REQUIRED

# Allow intranet to access unblockedsites freely
http_access allow unblockedsites intra-networks

# Allow everyone to access unblockedsites if they log in http_access allow
unblockedsites secure_id

# Allow intranet to access anything if they log in
http_access allow intra-networks secure_id

# Deny everything else
http_acecss deny all

Is it possible to use proxy_auth for FTP access? I have created an acl for
this, but it is not working:

acl ftpaccess proto FTP proxy_auth REQUIRED

You would need to combine two ACL's.. The above matches the protocols "FTP",
"proxy_auth" and "REQUIRED. Probably not what you have intended..

acl FTP proto FTP
acl auth proxy_auth REQUIRED

http_access allow FTP auth

I'd like to configure squid-2.4 to deny requests with private IP addresses
in the URL and respond with a customized error message. How could such an
acl look like?

acl private_ip dst 192.168.0.0/16 ....
http_access deny private_ip
deny_info ERR_PRIVATE_IP private_ip

And put your custom error message in errors/ERR_PRIVATE_IP

> > acl CANTEEN src 10.1.2.3 10.1.2.4
> > acl OPEN1 time SMTWHFA 08:00-10:00
> > acl OPEN2 time SMTWHFA 11:00-13:00
> > acl OPEN3 time SMTWHFA 18:00-20-00
> > acl OPEN4 time SMTWHFA 1:00-3:00
> > http_access allow CANTEEN OPEN1
> > http_access allow CANTEEN OPEN2
> > http_access allow CANTEEN OPEN3
> > http_access allow CANTEEN OPEN4
> > http_access deny CANTEEN

Mit freundlichem Gruß / regards
 
Werner Rost
GM-FIR - Netzwerk
 
ZF Boge Elastmetall GmbH
Friesdorfer Str. 175
53175 Bonn
 
Tel. +49 228 38 25 - 420
Fax +49 228 38 25 - 398
mailto:werner.rost@zfboge.com
www.zf.com/boge-elastmetall
 
 

> -----Ursprüngliche Nachricht-----
> Von: Tony Melia (DMS) [mailto:Tony.Melia@downsmicro.com.au]
> Gesendet: Mittwoch, 30. Juli 2003 02:46
> An: squid-users@squid-cache.org
> Betreff: [squid-users] FAQ/Most common ACL's
>
>
> I am looking at putting together either a FAQ or snippets of
> config files to achieve some of the most commonly asked
> questions on Squid configuration, particularly ACL's (at
> least info not already covered in current doc's/default
> config file).
>
> Can I ask people if they have weird or wonderful snippets of
> code that they may want to contribute, that they send it to
> me (just snippets, not entire config).
>
> Examples are;
> How do I block MSN Messenger
> How do I block MSN Messenger and allow use only at
> lunchtime/afterhours How do I limit [list of] web sites to
> 10K/sec speed so out bandwidth is not saturated How do I
> configure Windows 2000 group restrictions How do I do.....
>
> Any other config that you think is worth adding that you
> found useful, but not easy to set up.
>
>
> Alternatively, if you know of a list like this already
> compiled, let me know.
>
>
> Regards,
> TM
>
>
> Downs MicroSystems Pty Ltd
> 145 Margaret Street
> Toowoomba Qld 4350
> Ph. (07) 4639 3344 Fax (07) 4639 3820
>
> Important Disclaimer and Warning
>
> Downs MicroSystems does not represent or warrant that any
> attached files are free from computer viruses or other
> defects. The attached files are provided, and may only be
> used, on the basis that the user assumes all responsibility
> for any loss, damage or consequences resulting directly or
> indirectly from use of the attached files. The liability of
> Downs MicroSystems in any event is limited to either the
> resupply of the attached files or the cost of having the
> attached files resupplied.
>
> NOTE: The views expressed by the individual in this message
> do not necessarily reflect those of the organisation.
>
> Downs MicroSystems is committed to protecting the privacy of
> individuals, and is bound by the principles of the
> Commonwealth Privacy Act (1988). Should you wish to view our
> Privacy Policy, please visit www.downsmicro.com.au.
>
> The information contained in this message is confidential and
> may be legally privileged. The message is intended solely for
> the addressee(s). If you are not the intended recipient, you
> are hereby notified that any use, dissemination, or
> reproduction is strictly prohibited and may be unlawful. If
> you are not the intended recipient, please contact the sender
> by return e-mail and destroy all copies of the original message.
>
>
Received on Thu Jul 31 2003 - 23:54:21 MDT