[squid-users] Help in ACL Configuration using three rules

From: Sergio Chavarri <sergio_chavarri@dont-contact.us>
Date: Mon, 29 May 2006 12:08:42 -0700 (PDT)

Hi everyone,
After made a research in squid database, maybe
something is missing and I would like a feedback of
this configuration

I am trying to create an access list with “denied
sites” and denied extension format, like mp3, exe

But, at the same time I would like to allow a special
list (domains) to access without restrictions (mp3,
exe)

Actually, I can deny a list of sites and deny an
extension list(mp3,exe) at the same time, but It
doesn’t work to allow without restriction the special
list.

Please, take a look in the next lines and let me know
my mistakes in order to implement them.

Thanks a lot. Sergio

# Proxy port –
http_port 8080

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION
ALGORITHM
# # proxy
 icp
# # hostname type port
 port options
# # -------------------- -------- -----
----- -----------
cache_peer proxy.mysite.com parent 8080 0
default no-query allow-miss login=PASS

# TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?

# TAG: no_cache
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# TAG: cache_mem (bytes)
cache_mem 64 MB

# TAG: cache_dir
cache_dir ufs /var/spool/squid 1000 64 256

# TAG: auth_param
auth_param basic children 5
        
auth_param basic realm Squid proxy-caching web server
        
auth_param basic credentialsttl 2 hours
        
                                                      
        
# TAG: refresh_pattern
#Suggested default:
       
refresh_pattern ^ftp: 1440 20% 10080
       
refresh_pattern ^gopher: 1440 0% 1440
       
refresh_pattern . 0 20% 4320
       

# ACCESS CONTROLS
# TAG: acl
# Local networks with “C” IP class: office1,office2,
office3
acl office1 src 7.24.10.0/24
acl office2 src 7.24.50.0/24
acl office3 src 7.24.60.0/24

acl SSL_ports port 443 563 8143

acl Safe_ports port 80 # http
         
acl Safe_ports port 21 # ftp
         
acl Safe_ports port 443 563 # https, snews
         
acl Safe_ports port 70 # gopher
         
acl Safe_ports port 210 # wais
         
acl Safe_ports port 1025-65535 # unregistered ports
         
acl Safe_ports port 280 # http-mgmt
         
acl Safe_ports port 488 # gss-http
         
acl Safe_ports port 591 # filemaker
         
acl Safe_ports port 777 # multiling http
         
acl CONNECT method CONNECT
         

# acl deny for web radio stream -
acl webRadioReq1 req_mime_type -i ^video/x-ms-asf$
                 
acl webRadioReq2 req_mime_type -i
^application/vnd.ms.wms-hdr.asfv1$
acl webRadioReq3 req_mime_type -i
^application/x-mms-framed$
 
acl WMP browser Windows-Media-Player/*
                                                      
                                 

# acl deny for extensions
                         
acl BlockExt url_regex -i \.mp3$ \.asx$ \.wma$ \.wmv$
\.avi$ \.mpeg$ \.mpg$ \.qt
$ \.ram$ \.rm$ \.iso$ \.wav$ \.exe$
                         

#Special domain without restriction (exe, mp3..)
acl specialdomain dstdomain « /etc/squid/specialdomain
»

# Access deny for Web radio /Stream
http_access deny WMP all
http_access deny webRadioReq1 all
http_access deny webRadioReq2 all
http_access deny webRadioReq3 all
                                                 
http_reply_access deny webRadioRep1 all
http_reply_access deny webRadioRep2 all
http_reply_access deny webRadioRep3 all
                                                 
http_access deny BlockExt

#Allow specialdomain without BlockExt
http_access deny BlockExt !specialdomain

#Extension for domain & path
#Extension List using files AAA
acl deniedsites url_regex “/etc/squid/deniedsites”

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on Mon May 29 2006 - 13:08:49 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:02 MDT