Re: [squid-users] Help me: Multiple ACLs in Squid Proxy v 3.0 from Amos Jeffries on 2011-09-10 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 11 Sep 2011 14:57:07 +1200

On 10/09/11 19:03, Kumar P wrote:
> HI dear,
>
> I am Kumar, Here is my Squid configuration file. ( Squid v.3.0 )
>
> I would like to give specific users access to specific web content,
> But through this configuration file, if I give permission for a
> specific user to access the tutorial, social networking is blocked but
> movie is accessible. Even if I grouped allow and deny separately and
> checked, the same problem continues; I can't grant access to the
> tutorial but still block access to movies.

Sure you can. Squid access controls are at heart a list of boolean
statements. Which can describe any property of the request in any
combination of any order.

You are just committing the newbies mistake of only using one property
per decision. This is how the ACLs actually work:
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes

>
> acl localnet src 10.1.1.0/24
> acl special src "/etc/squid/special.txt" # All Access IPs
> acl unlimited src "/etc/squid/unlimited.txt" # Full Download access
>
> acl allow_proxy src "/etc/squid/allow_proxy.txt" # Allow Proxy sites
> acl allow_social src "/etc/squid/allow_social.txt" # Allow Social networking
>
> acl allow_tutorial src "/etc/squid/allow_tutorial.txt" # Allow Tutorial
>
> acl allow_movie src "/etc/squid/allow_movie.txt" # Allow Jobs
> acl allow_jobs src "/etc/squid/allow_jobs.txt" # Allow Movie
>
> #Allow / Block
> acl goodkey url_regex "/etc/squid/goodkey.txt"
>
> acl proxy url_regex "/etc/squid/proxy.txt"
> acl social url_regex "/etc/squid/social.txt"
> acl tutorial url_regex "/etc/squid/tutorial.txt"
> acl movie url_regex "/etc/squid/movie.txt"
>
> acl jobs url_regex "/etc/squid/jobs.txt"
>
> #Download Limit
> reply_body_max_size 3000 KB localnet !unlimited
> request_body_max_size 3000 KB localnet !unlimited
>
> #Allow
> http_access allow special
>
> http_access allow goodkey
>
> #Proxy
> http_access allow allow_proxy
> http_access deny proxy

Replace with:
http_access allow allow_proxy proxy

>
> #Social
> http_access allow allow_social
> http_access deny social

Replace with:
http_access allow allow_social social

>
> #Tutorial
> http_access allow allow_tutorial
>
> http_access deny tutorial

Replace with:
http_access allow allow_tutorial tutorial

>
> #Movie
> http_access allow allow_movie
> http_access deny movie
>

Replace with:
http_access allow allow_movie movie

> #Jobs
> http_access allow allow_jobs
> http_access deny jobs

Replace with:
http_access allow allow_jobs jobs

>
> #ACL Allow
> http_access allow localnet

Replace with:
http_access allow localnet !tutorial !jobs !movie

>
>
> #And finally deny all other access to this proxy
> http_access allow localhost

Maybe replace with:
http_access allow localhost !tutorial !jobs !movie

> http_access deny all
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.11

Received on Sun Sep 11 2011 - 02:57:13 MDT

This archive was generated by hypermail 2.2.0 : Sun Sep 11 2011 - 12:00:02 MDT