[squid-users] Re: Proxy & Redirection help from Amos Jeffries on 2010-11-02 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 02 Nov 2010 23:26:34 +1300

On 02/11/10 22:54, Edmonds Namasenda wrote:
> Thank you, Amos.
> More queries inline below.
>
> Hello All.
> I request for help using openSuSe 11.2, Squid 3.0 and Shorewall
> 2.2.2
>
> My squid.conf ACLs.
>
> acl net_ed src 10.100.#.0/24 192.168.#.0/24 10.208.#.0/24 #
> The three
> networks
> acl whrs1 time MTWHF 9:00-12:59 # Morning time to limit some
> websites & control downloads
> acl whrs2 time MTWHF 13:00-16:59 # Afternoon time to limit some
> websites & control downloads
> acl nowww dstdomain "/etc/squid/noWWW" # Path to file of
> limited websites
> acl nodwnld urlpath_regex "/etc/squid/noDWNLD" # Path to file of
> controlled downloads
>
> My squid.conf http_access
> http_access deny nowww whrs1 whrs2
> http_access deny nodwnld whrs1 whrs2
> http_access allow net_ed
>
> Content in /etc/squid/noWWW
>
>
> Content in /etc/squid/noDWNLD
> \.exe$
> \.zip$
> \.gz$
> \.bz2$
> \.mp3$
> \.avi$
> \.mp4$
> \.mpg$
> \.mpeg$
> \.rar$
> \.ram$
> \.rpm$
> \.wav$
> \.cda$
> \.wma$
> \.wmv$
> \.flv$
> \.fla$
>
>
> Are my ACLs and other setting okay?
>
>
> You seem to be asking how to bypass the proxy from inside. That is
> not possible. The firewall needs to do bypass before anything gets
> near the proxy.
>
> I am using the same machine for firewall and proxy
>
> If you meant that some IPs need to get web access without the
> download and site restrictions. That is just an ACL listing the IPs
> and allowing them access first before applying the extra
> restrictions for others.
>
> If I were to add ACLs with some an I.P Addresses to access the internet
> without any restrictions, how can I go about that?

By creating ..

# "an ACL listing the IPs ..."
acl foo src ...

# " ... and allowing them access first ..."
http_access allow foo

   # " ... before applying the extra restrictions for others."
   http_access deny nowww whrs1 whrs2
   http_access deny nodwnld whrs1 whrs2
   http_access allow net_ed

>
>
> I have not used shorewall in over 5 years now. I find it's layered
> abstraction maps more confusing than the iptables commands. Sorry, I
> cant help with the specifics here.
>
> If I were to switch to iptables, what is the procedure and or commands?

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
The example PREROUTING line that does "-s SQUIDIP ... -j ACCEPT"
repeated as many times as IPs needing to bypass the proxy.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.2

Received on Tue Nov 02 2010 - 10:26:40 MDT

This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:03 MDT