RE: [squid-users] ACL advise from squid squid on 2007-05-18 (squid-users)

From: squid squid <squidusr@dont-contact.us>
Date: Fri, 18 May 2007 22:14:22 +0800

Hi,

Thank you for the advise.

Can I have the access and deny as follows:

http_access allow group-1 group1-url
http_access allow group-1 group1-dom
http_access allow group-2 group2-url
http_access allow group-3 group3-url
http_access allow group-1 all-groups-url
http_access allow group-2 agll-groups-url
http_access allow group-3 all-groups-url
http_access allow group-1 all-groups-dom
http_access allow group-2 all-groups-dom
http_access allow group-3 all-groups-dom
http_access deny clients-seg-1
http_access deny clients-seg-2

http_access allow all

Regards.

>From: "Mark Barlow" <mark.barlow@freepower.co.uk>
>To: "'squid squid'" <squidusr@hotmail.com>, <squid-users@squid-cache.org>
>Subject: RE: [squid-users] ACL advise
>Date: Fri, 18 May 2007 14:32:53 +0100
>
>I'm no expert but from what I do know, this is what I would suggest, hope
>it
>helps.
>
>Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
>10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the subnet
>mask would be 255.0.0.0 I suspect from what you have written above you mean
>to use a class C netmask (255.255.255.0) on the class A IP range, in which
>case your lines should read
>
>acl clients-seg-1 src 10.1.1.0/24
>acl clients-seg-2 src 10.1.2.0/24
>
>You can then isolate your specific IP addresses
>
>acl group-1 src 10.1.1.10-10.1.1.11/24
>acl group-2 src 10.1.1.12-10.1.1.13/24
>acl group-3 src 10.1.2.20-10.1.2.21/24
>
>Other users not in the groups specified i.e. 10.1.3.x, etc can have another
>acl
>
>alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc
>
>We then look at what pages are allowed
>
>Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
>Acl group1-dom dstdom-regex -i interdept.abc.com
>Acl group2-url url-regex -i intranet.abc.com/def apps.intranet.abc.com/def
>Acl group3-url url-regex -i intranet.abc.com/xyz apps.intranet.abc.com/xyz
>Acl all-groups-url url-regex -i public.abc.com/abc
>Acl all-groups-dom dstdom-regex -i public.def.com
>Acl intranet dstdom-regex -i intranet.url
>
>Having set up the acls now we look at the access. These rules are applied
>in order.
>
>http_access allow group-1 group1-url
>http_access allow group-1 group1-dom
>http_access allow group-2 group2-url
>http_access allow group-3 group3-url
>http_access allow group-1 all-groups-url
>http_access allow group-2 agll-groups-url
>http_access allow group-3 all-groups-url
>http_access allow group-1 all-groups-dom
>http_access allow group-2 all-groups-dom
>http_access allow group-3 all-groups-dom
>http_access allow all-others intranet
>
>http_access deny all
>
>The rules get looked at in turn, unless a client matches the rule with it's
>request it will get mopped up by the deny all (assuming you have left the
>acl all src 0.0.0.0/0.0.0.0)
>
>
>
>-----Original Message-----
>From: squid squid [mailto:squidusr@hotmail.com]
>Sent: 18 May 2007 13:35
>To: squid-users@squid-cache.org
>Subject: [squid-users] ACL advise
>
>I would like to setup squid as follows :
>
>Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
>(http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
>domain (interdept.abc.com)
>
>Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
>(http://intranet.abc.com/def and http://apps.intranet.abc.com/def)
>
>Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
>(http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)
>
>All 3 groups can access URL http://public.abc.com/abc and domain
>public.def.com
>
>All other users in 10.1.1.x and 10.1.2.x are not allow to access anything.
>
>All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can access
>everything on the intranet.
>
>Is my following configuration correct:
>
>Thank you.
>
>acl clients-seg-1 src 10.1.1.0/8
>acl clients-seg-2 src 10.1.2.0/8
>
>
>acl common-allow-url url_regex http://public.abc.com/abc
>acl common-allow-domain dstdomain public.def.com
>
>http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
>!clients-grp3
>
>acl clients-grp1 src 10.1.1.10 10.1.1.11
>acl clients-grp1-allow-domain dstdomain interdept.abc.com
>acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
>http://apps.intranet.abc.com/abc
>
>http_access allow clients-grp1 clients-grp1-allow-domain
>clients-grp1-allow-url common-allow-url common-allow-domain
>http_access deny clients-grp1 !clients-grp1-allow-domain
>!clients-grp1-allow-url !common-allow-url !common-allow-domain
>
>
>acl clients-grp2 src 10.1.1.12 10.1.1.13
>acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
>http://apps.intranet.abc.com/def
>
>http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
>common-allow-domain
>http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
>!common-allow-domain
>
>
>acl clients-grp3 src 10.1.2.20 10.1.2.21
>acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
>http://apps.intranet.abc.com/xyz
>http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
>common-allow-domain
>http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
>!common-allow-domain
>
>
>http_access allow all
>
>_________________________________________________________________
>Get the new Windows Live Messenger! http://get.live.com/messenger/overview
>
>
>

_________________________________________________________________
Get MSN Messenger emoticons and display pictures here!
http://ilovemessenger.msn.com/?mkt=en-sg
Received on Fri May 18 2007 - 08:14:36 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT