RE: [squid-users] SQUID- ACL for different time frame for differe nt block of IP addresses. from Chris Robertson on 2005-02-08 (squid-users)

From: Chris Robertson <crobertson@dont-contact.us>
Date: Tue, 8 Feb 2005 09:01:14 -0900

> -----Original Message-----
> From: thomas [mailto:thomas.xavier@gmail.com]
> Sent: Tuesday, February 08, 2005 8:16 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] SQUID- ACL for different time frame for different
> block of IP addresses.
>
>
> Dear All
> Requirement has arisen to provide access to a group of machine
> categorized based on IP address.
>
> ACL created is as follows:-
>
> acl fulltime_ip 10.10.10.40-10.10.10.254
> acl slot1_ip src 10.10.10.25 10.10.10.30 10.10.10.35
> acl slot1_time time 08:00-10:00
> acl slot2_ip src 10.10.10.39 10.10.10.40 10.10.10.41
> acl slot2_time time 10:00-12:00
> acl CONNECT method CONNECT
> acl ncsa_users proxy_auth REQUIRED
>
> HTTP_ACCESS statements are as follows:-
>
> http_access allow localhost
> http_access allow ncsa_users
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All authenticated users (no matter the IP or the time, source or
destination) are allowed access

> http_access allow slot1_ip slot1_time
> http_access allow slot2_ip slot2_time
> http_access allow fulltime_ip
> http_access allow Safe_ports
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Everyone (no matter the IP or the time) is allowed access to Safe_ports

> http_reply_access allow all
> icp_access allow all
> miss_access allow all
> http_access allow SSL_ports
> http_access deny all
>
> Q1= With above ACL and http_access, machines are not getting denied
> though they are supposed to be denied apart from their specified time
> slot.
>
> Q2= Is the http_access sequence OK? If not what should be?
>
> Q3= Please suggest better way of doing the same?
>
> Q4= Similar to http_access sequence, should I have to take care of acl
> statement sequence too?
>
> TIA

This is probably how you want to do it:

http_access deny !Safe_ports # Deny anyone from accessing a "non-safe" port
http_access deny CONNECT !SSL_ports # Deny CONNECT requests to non-SSL ports
http_access deny !ncsa_auth # Require authentication
http_access allow localhost # Allow surfing from the local machine (with
authentication)
http_access allow slot1_ip slot1_time # Allow slot1 IPs during their time
(with authentication)
http_access allow slot2_ip slot2_time # Allow slot2 IPs during their time
(with authentication)
http_access allow fulltime_ip # Allow fulltime IPs anytime (with
authentication)
http_access deny all # Just for clarity

icp_access is only useful (to the best of my knowledge) if you have sibling
or child caches.
http_reply_access only needs to be specifically allowed if you are denying
some.

Chris
Received on Tue Feb 08 2005 - 11:01:16 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST