Re: [squid-users] problem with ACL.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Apr 2009 20:33:25 +1200

Pandu E Poluan wrote:
> I am believe the user you're talking about is accessing the URL's
> contained in
>
> acl exceptions url_regex "/etc/squid/data/exceptions"
>
> Because as far as I see, the only way for him/her to bypass the time
> limitation is if he/she gets allowed by
>
> http_access allow exceptions
>
> CMIIW
>
>

Correct by my reading of that too.

Some other config notes below for unrelated stuff...

> Rgds,
>
> [p]
>
>
> Jagdish Rao wrote:
>> Hi,
>>
>> I have configure my Squid to work only for some time for one group of
>> users. I find that this is not being effective. Below is the squid conf file
>>
>> ############# SQUID DEFAULTS ############
>> http_port 8000
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>> cache_log /var/log/squid/cache.log
>> debug_options ALL,1 33,2

above sets up some debug display options.
below cancels that out by setting a global 1-level debug.

>> debug_options ALL,1
>>
>> ############ AUTHENTICATIONS ###########
>> auth_param basic program /usr/lib/squid/ncsa_auth
>> /etc/squid/data/valid-users
>> auth_param basic children 5
>> auth_param basic realm Accord-Soft Proxy-caching Web Server
>> auth_param basic credentialsttl 2 hour
>> auth_param basic casesensitive off
>>
>> request_body_max_size 50 KB
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> ########### ACCESS CONTROLS ###########
>>
>> #### Format for Access Controls ####
>> ## <acl username proxy_auth user id>
>> ## <acl usertime time 9:00 - 14:00>
>> ## <acl userurl url_regex website>
>> ## <http_access allow username usertime userurl>
>>
>> acl password proxy_auth REQUIRED
>>
>> acl all src 0.0.0.0/0.0.0.0

  acl all src all

simpler to understand.

>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255

   acl localhost src 127.0.0.1

also simpler to understand.

>> acl to_localhost dst 127.0.0.0/8
>> acl CONNECT method CONNECT
>>
>> ########## USER DEFINED ACLS ###########
>>
>> ## Authenticating Users #######
>> acl sunayna.j proxy_auth sunayna.j
>> acl vikramsingh proxy_auth vikram.singh
>>
>> #### ACL TIMINGS #######
>> acl MorningTime time 08:00-09:00
>> acl EveningTime time 18:00-19:00
>> acl AfternoonTime time 13:00-15:00
>> acl OfficeTime time 09:00-18:00
>> acl SplMorningTime time 09:00-13:00
>> acl PrelunchTime1 time 11:00-12:00
>> acl PrelunchTime time 12:00-13:00
>>
>> ### Some more ACL's to Allow and Block the Sites ###
>> acl PornSites url_regex "/etc/squid/data/blocked-sites"
>> acl PornSites url_regex "/etc/squid/data/blocked-bad-words"
>> acl exceptions url_regex "/etc/squid/data/exceptions"
>> acl exceptions url_regex "/etc/squid/data/winupdates"
>> http_access allow exceptions
>> http_access deny PornSites
>> deny_info ERR_PORN_DENIED PornSites
>>
>> acl FTPMP3 url_regex -i ^ftp://.*\.mp3$
>> http_access deny FTPMP3
>> acl HTPMP3 url_regex -i ^http://.*\.mp3$
>> http_access deny HTPMP3
>>
>> acl Download_Blocking url_regex -i
>> \.(ADE|ADP|ASD|ASF|BAS|BAT|CMD|CPL|CRT|EML|HLP|HTA|INF|INS|ISP|LNK|MDB|MDE|MSC|MSG|MSI|MSP|MST|OCX|PCD|PIF|SCR|SCT|SH|SHB|SHS|SYS|VB|VBE|VBS|VCS|WMS|WMD|WMZ|WSC|WSF|WSH|PBL|TPL|mov|MOV|mp3|avi|AVI|wmv|WMV|wma|rar|RAR|CAB|cab)($|\?)
>>

In the above regex you specify '-i' (not case-sensitive) therefore many
of your upper and lower case patterns can be collapsed to a smaller set
of lower case patterns.

Also, if this is important (you don't even seem to use it) then you
might think about adding a mime_type ACL for those as well to catch the
fake file types: mp3's sent as index.html for one example.

>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> #http_access deny !password
>>
>> ### Access Goes Here #######
>> http_access allow vikasv PrelunchTime1
>> http_access allow vikramsingh PrelunchTime1
>> http_access allow sunayna.j PrelunchTime1
>>
>> http_access deny all
>>
>> cache_mgr netadmin_at_accord-soft.com
>> visible_hostname squid.accord-soft.com
>> coredump_dir /var/spool/squid
>> logfile_rotate 10
>> deny_info ERR_ACCESS_DENIED net-man
>>
>> ## End of Squid.conf file.
>>
>> In this the timings "PrelunchTime1" does not seem to work. This means
>> that a user with this config cannot access Net before 11:00 AM, but he
>> can continue to browse even after 12:00 Noon .
>>
>> Where are we making mistakes ?
>>
>> Any help would be appreciable
>>
>> Thanks
>>
>> Jagdish
>>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7
Received on Wed Apr 29 2009 - 08:33:33 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 29 2009 - 12:00:03 MDT