Re: [squid-users] Hole in my thinking - still from Bobby on 2007-06-11 (squid-users)

From: Bobby <bobby@dont-contact.us>
Date: Mon, 11 Jun 2007 22:55:05 -0400

On Monday 11 June 2007 17:12:20 Bobby wrote:
> Hi,
>
> This is not resolving. Rather than debugging my setup please tell me how
> you would configure it.
>
> What I'm looking at is how do I specify different machines to be able to
> access only certain websites?
>
> Let's say,
> 172.16.10.16-31 are managers who can go anywhere and
> 172.16.10.96-254 are operators with limited access like only to
> .google.com and .paypal.com.
>
> What should be an almost totally default conf file. I have a safe port on
> 5203, and my network defined.
>
> --------------------------------------------------
> http_port 3128
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
>
> acl Safe_ports port 5203
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
> acl our_networks src 172.16.10.0/24
> http_access allow Safe_ports
>
>
>
> http_access deny all
> http_reply_access deny all
This is actually http_reply_access allow all

> icp_access allow all
>
> visible_hostname gw0.example.com
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> coredump_dir /var/squid/cache

> # Allow managers unrestricted access
> acl managers src ...
> http_access allow managers
>
> # Allow operators access to a restricted set of sites
> acl operators src ...
> acl operator_sites dstdomain .google.com .paypal.com
> http_access allow operators operator_sites
>
> # And deny all other access
> http_access deny all

Which means this should have worked:

acl operators-src src "/etc/squid/T_operators"
acl operators-dst dstdomain "/etc/squid/T_operators-http"
http_access allow operators-src operators-dst

with

T_operators =
172.16.10.105/32
172.16.10.107/32
172.16.10.112/32

T_operators-http =
.google.com
.paypal.com

-- 
Bobby

Received on Mon Jun 11 2007 - 20:55:09 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT