Re: [squid-users] ACL advise

Thank you to all who have provided the advise. Have use the deny all as the
last entry to be on the safe side.

>From: Amos Jeffries <squid3@treenet.co.nz>
>To: squid squid <squidusr@hotmail.com>
>CC: squid-users@squid-cache.org, mark.barlow@freepower.co.uk
>Subject: Re: [squid-users] ACL advise
>Date: Sat, 19 May 2007 04:19:11 +1200
>
>squid squid wrote:
>>Hi,
>>
>>Thank you for the advise.
>>
>>Can I have the access and deny as follows:
>>
>>http_access allow group-1 group1-url
>>http_access allow group-1 group1-dom
>>http_access allow group-2 group2-url
>>http_access allow group-3 group3-url
>>http_access allow group-1 all-groups-url
>>http_access allow group-2 agll-groups-url
>>http_access allow group-3 all-groups-url
>>http_access allow group-1 all-groups-dom
>>http_access allow group-2 all-groups-dom
>>http_access allow group-3 all-groups-dom
>>http_access deny clients-seg-1
>>http_access deny clients-seg-2
>>
>>http_access allow all
>>
>>Regards.
>>
>>>From: "Mark Barlow" <mark.barlow@freepower.co.uk>
>>>To: "'squid squid'" <squidusr@hotmail.com>, <squid-users@squid-cache.org>
>>>Subject: RE: [squid-users] ACL advise
>>>Date: Fri, 18 May 2007 14:32:53 +0100
>>>
>>>I'm no expert but from what I do know, this is what I would suggest, hope
>>>it
>>>helps.
>>>
>>>Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
>>>10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the
>>>subnet
>>>mask would be 255.0.0.0 I suspect from what you have written above you
>>>mean
>>>to use a class C netmask (255.255.255.0) on the class A IP range, in
>>>which
>>>case your lines should read
>>>
>>>acl clients-seg-1 src 10.1.1.0/24
>>>acl clients-seg-2 src 10.1.2.0/24
>>>
>>>You can then isolate your specific IP addresses
>>>
>>>acl group-1 src 10.1.1.10-10.1.1.11/24
>>>acl group-2 src 10.1.1.12-10.1.1.13/24
>>>acl group-3 src 10.1.2.20-10.1.2.21/24
>>>
>>>Other users not in the groups specified i.e. 10.1.3.x, etc can have
>>>another
>>>acl
>>>
>>>alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc
>>>
>>>We then look at what pages are allowed
>>>
>>>Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
>>>Acl group1-dom dstdom-regex -i interdept.abc.com
>>>Acl group2-url url-regex -i intranet.abc.com/def
>>>apps.intranet.abc.com/def
>>>Acl group3-url url-regex -i intranet.abc.com/xyz
>>>apps.intranet.abc.com/xyz
>>>Acl all-groups-url url-regex -i public.abc.com/abc
>>>Acl all-groups-dom dstdom-regex -i public.def.com
>>>Acl intranet dstdom-regex -i intranet.url
>>>
>>>Having set up the acls now we look at the access. These rules are
>>>applied
>>>in order.
>>>
>>>http_access allow group-1 group1-url
>>>http_access allow group-1 group1-dom
>>>http_access allow group-2 group2-url
>>>http_access allow group-3 group3-url
>>>http_access allow group-1 all-groups-url
>>>http_access allow group-2 agll-groups-url
>>>http_access allow group-3 all-groups-url
>>>http_access allow group-1 all-groups-dom
>>>http_access allow group-2 all-groups-dom
>>>http_access allow group-3 all-groups-dom
>>>http_access allow all-others intranet
>>>
>>>http_access deny all
>>>
>>>The rules get looked at in turn, unless a client matches the rule with
>>>it's
>>>request it will get mopped up by the deny all (assuming you have left the
>>>acl all src 0.0.0.0/0.0.0.0)
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: squid squid [mailto:squidusr@hotmail.com]
>>>Sent: 18 May 2007 13:35
>>>To: squid-users@squid-cache.org
>>>Subject: [squid-users] ACL advise
>>>
>>>I would like to setup squid as follows :
>>>
>>>Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
>>>(http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
>>>domain (interdept.abc.com)
>>>
>>>Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
>>>(http://intranet.abc.com/def and http://apps.intranet.abc.com/def)
>>>
>>>Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
>>>(http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)
>>>
>>>All 3 groups can access URL http://public.abc.com/abc and domain
>>>public.def.com
>>>
>>>All other users in 10.1.1.x and 10.1.2.x are not allow to access
>>>anything.
>>>
>>>All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can
>>>access
>>>everything on the intranet.
>>>
>>>Is my following configuration correct:
>>>
>>>Thank you.
>>>
>>>acl clients-seg-1 src 10.1.1.0/8
>>>acl clients-seg-2 src 10.1.2.0/8
>>>
>>>
>>>acl common-allow-url url_regex http://public.abc.com/abc
>>>acl common-allow-domain dstdomain public.def.com
>>>
>>>http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
>>>!clients-grp3
>>>
>>>acl clients-grp1 src 10.1.1.10 10.1.1.11
>>>acl clients-grp1-allow-domain dstdomain interdept.abc.com
>>>acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
>>>http://apps.intranet.abc.com/abc
>>>
>>>http_access allow clients-grp1 clients-grp1-allow-domain
>>>clients-grp1-allow-url common-allow-url common-allow-domain
>>>http_access deny clients-grp1 !clients-grp1-allow-domain
>>>!clients-grp1-allow-url !common-allow-url !common-allow-domain
>>>
>>>
>>>acl clients-grp2 src 10.1.1.12 10.1.1.13
>>>acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
>>>http://apps.intranet.abc.com/def
>>>
>>>http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
>>>common-allow-domain
>>>http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
>>>!common-allow-domain
>>>
>>>
>>>acl clients-grp3 src 10.1.2.20 10.1.2.21
>>>acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
>>>http://apps.intranet.abc.com/xyz
>>>http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
>>>common-allow-domain
>>>http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
>>>!common-allow-domain
>>>
>>>
>>>http_access allow all
>
>That last line will allow *anyone* *anywhere* to access anything the proxy
>can resolve (all of the internet!).
>Be *very* sure you want that to happen before using "allow all" as a
>default.
>
>The earlier suggested config with an 'acl all-intranet 10.x.x.x/n ....' was
>on the mark for a much more secure proxy setup that still does what you
>want.
>
>Amos

_________________________________________________________________
Find singles online in your area with MSN Dating and Match.com!
http://cp.intl.match.com/eng/msn/msnsg/wbc/wbc.html
Received on Fri May 18 2007 - 22:00:38 MDT