[squid-users] Access Groups Problem

Hello All,

We use one openSuSe 11.4 server to manage access of five networks four
of which are connected through VPN.
Initial configuration used in-built Squid (3.0 Stable 18) in
transparent mode. We recently ran an upgrade and got Squid 3.1.23 on the
same oS 11.4

We realized some admin IP addresses are blocked from access and branch
users require adding proxy settings in the browsers / apps to connect
to the internet.
I experienced the former after the upgrade while not sure about the
latter. I am a timely consultant (practical) to the team not in-house.

How can the above be rectified?
Below is the current conf with a few alterations

## Start Conf ##
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
#acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# USUL Connection ACLs
acl usul src 10.40.1.0/24 10.40.2.0/24 10.40.3.0/24 10.40.4.0/24 10.40.5.0/24

acl noaccess src "/etc/squid/noaccess.txt"
acl admin src "/etc/squid/admin.txt"
acl a37 src "/etc/squid/one37.txt"
acl srvips src "/etc/squid/srvips.txt"
acl mgrs src "/etc/squid/mgrs.txt"
acl clerix src "/etc/squid/clerix.txt"

# USUL Connectivity Time-Frames
acl NoGenNet time MTWHFA 08:00-12:59
acl NoGenNet time MTWHFA 13:59-16:59
acl NoGenNet time S 07:00-12:59
acl NoGenNet time SMTWHFA 19:00-23:59
acl NoGenNet time SMTWHFA 00:00-06:59

## You Tube
acl YouTube time SMTWHFA 19:00-23:59
acl YouTube time SMTWHFA 00:00-07:59

# USUL Streaming Restrictions
acl nommq req_mime_type -i "/etc/squid/nommq.txt"

# USUL File & URL Restrictions
acl donot urlpath_regex -i "/etc/squid/donot.txt"
#acl nowords url_regex -i "/etc/squid/nowords.txt"
acl srvurls dstdomain -i "/etc/squid/srvurls.txt"
acl fewurls dstdomain -i "/etc/squid/fewww.txt"
acl one37 dstdomain -i "/etc/squid/url37.txt"
acl malice dstdomain -i "/etc/squid/malware.acl"
acl porn dstdomain -i "/etc/squid/xxx.acl"
acl ads dstdomain -i "/etc/squid/ads.acl"
acl tubeyou dstdomain -i "/etc/squid/utube.txt"
#acl blackout dstdomain -i "/etc/squid/blackout.txt"

#
# Recommended minimum Access Permission configuration:
#
#http_access deny usul all
# Only allow cachemgr access from localhost
http_access allow manager localhost

# USUL HTTP Access Rules

http_access allow srvurls all
http_access allow fewurls all
http_access allow admin mgrs all

http_access allow one37 a37

http_access deny tubeyou !YouTube

http_access deny malice all
http_access deny porn all
http_access deny ads all

#http_access deny nowords all

http_access deny noaccess
http_access deny srvips !srvurls all

#http_access allow fewurls
http_access deny NoGenNet clerix all

#http_access deny pmhr clerix
#http_access deny sday clerix
#http_access deny night_s clerix
#http_access deny night_e clerix

http_access deny donot !admin
http_access deny nommq !admin !mgrs
http_access allow usul all

http_access deny manager noaccess

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
#http_access allow localhost

# allow localhost always proxy functionality
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

error_directory /usr/share/squid/errors/en
#deny_info PORN_DENIED blackout

icp_access allow usul
icp_access deny all

htcp_access allow usul
htcp_access deny all

# Squid normally listens to port 3128
#http_port 3128

http_port 3128 intercept

#http_port 80 intercept
#http_port 8080 intercept

#http_port all intercept # Best each port above or this?

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

cache_mem 400 MB

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 20000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

access_log /var/log/squid/access.log squid

minimum_object_size 512 KB
maximum_object_size 4 MB
maximum_object_size_in_memory 6 MB

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

dns_nameservers 41.##.##.# 41.##.##.#

visible_hostname ######
icp_port 3130
cache deny YouTube tubeyou

## End Conf ##

Thanks, Edmonds
Received on Wed Oct 16 2013 - 12:42:26 MDT