RE: [squid-users] Problem understanding acl

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 15 Feb 2006 10:37:09 -0900

> -----Original Message-----
> From: Schelstraete Bart [mailto:bart@schelstraete.org]
> Sent: Wednesday, February 15, 2006 5:47 AM
> To: lists@masonc.com
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Problem understanding acl
>
>
> On Wed, 2006-02-15 at 10:23 -0400, Chris Mason (Lists) wrote:
> >
> > I want to have the following scenario but I can't
> > understand how to do it
> >
> > # Employee general access to a list of sites
> > acl allowed-sites dstdomain .thisdomain.com .thatdomain.com
> > http_access allow allowed-sites
> >
> > # Some employees listed get access to all EXCEPT the banned sites
> > acl banned_sites dstdomain .abc.com .msn.com .hotmail.com .go.com
> > .playboy.com
> > acl password_access proxy_auth someone someone-else anotheruser
> > http_access allow password_access but deny the banned_lists
> >
> > # And finally deny all other access to this proxy
> > http_access allow localhost
> > http_access deny all
>
> Hi,
>
> As far as I understand, it's just like this:
>
>
> acl allowed-sites dstdomain .thisdomain.com .thatdomain.com
> acl banned_sites
> dstdomain .abc.com .msn.com .hotmail.com .go.com .playboy.com
> acl password_access proxy_auth someone someone-else anotheruser
>
> ##Order is important
> http_access allow allowed-sites
> http_access deny banned_sites
> http_access allow password_access
> http_access deny all
>

One note of caution. This would allow ANYONE who has access to your proxy to use it to access the allowed-sites. Defining an acl that describes your LAN...

acl my-lan src 192.168.0.0/16

...and using it to limit un-authenticated access to allowed-sites...

http_access allow my-lan allowed-sites

... is probably not a bad idea. Further, you can combine the password_access and banned sites into one rule...

http_access allow password_access !banned_sites

... if you wish. There is a whole section of the FAQ dedicated to ACLs (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html).

>
>
> Bart
>
>
>
> --
> Schelstraete Bart
> http://www.schelstraete.org
> bart@schelstraete.org
> 15:43:27 up 3 days, 21:54, 3 users, load average: 1.83, 1.88, 1.78
>
>

Chris
Received on Wed Feb 15 2006 - 12:37:17 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST