RE: [squid-users] Access Lists

From: Paul Harlow <PHarlow@dont-contact.us>
Date: Wed, 31 Oct 2001 10:33:19 -0700

Here's an excerpt of the conf file in question. Just for reference, I've
inherited this system and have been taking queue from the previous
administrator's work. Some of it does not make sense to be only because I am
not familiar with some of the verbiage or symbols.

For example:
acl jkanepc src 10.9.1.112/255.255.255.255
This one allows "jkanepc" with a source address of 10.9.1.112...

acl jkane dstdom_regex adams
I'm assuming that the access list name is "jkane" and that this will read
anything with the name "adams" in the address field.

http_access allow jkane jkanepc
Finally, this ties the two together if I'm not mistaken. It ties the list
"jkane" with the "jkanepc" address, correct?

See the attached text portion of my squid.conf to see what I'm talking
about. I know there's a better way to do this and I have several more users
to add to this list. If anyone can add insight I'd love to see/hear it.
Thanks!

Paul Harlow

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@marasystems.com]
Sent: Tuesday, October 30, 2001 4:14 PM
To: Paul Harlow
Cc: 'squid-users@squid-cache.org'
Subject: Re: [squid-users] Access Lists

Squid access lists are best described plain AND/OR logics, with
shortcuts on a match..

http_access allow/deny a AND b AND c AND ...
OR
http_access allow/deny d AND e AND ...
...

Note: AND/OR above are in their boolean algebra meaning, not their
english counterparts. For a line to match all ACL's listed on that line
must match. "http_access allow a b c" does not mean that a,b and c are
allowed, it means that for the request to be allowed it must match both
a, b and c.

There are some minor exceptions to the above:
* proxy_auth will always require valid credentials from the user. If no
such credentials are known then the request will get denied with
"authentication required", causing the browser to pop up a login box.
think that it is actually.. and not much of an exception as the
semantics are the same.

Then there is an art in finding the correct ACL type for a given
situation. There is currently 28 different ACL types in Squid to solve
various different access control problems. Fortunately you normally only
need to use a handful of them...

The following ACL types is perhaps the most commonly used. If you know
these you will get very far

  src IP address of the requestor (client)
  dstdomain requested destination hostname
  dst requested destination IP address
  url_regex regex matching agains the URL
  port requested destination port
  proxy_auth user authentication

Regards
Henrik Nordström
Squid Hacker

Paul Harlow wrote:
>
> Hi all,
>
> I'm very new here and fairly new to Squid so please bear with me if this
is
> a subject that's been covered more than once.
>
> I've just started working with Squid off an on over the last few months
and
> have hit a wall. I cannot find documentation that properly illustrates how
> to configure access lists with Squid and have had very limited success
with
> the reconfigure of this server.
> For the most part we're restricting user access to the Internet using
these
> access lists to just a few sites relating to their jobs. However, when I
> make changes to this list, mostly a copy and paste operation, these
changes
> to not become effective after the service is restarted (killall -HUP
squid).
>
> If anyone has any ideas to throw at me or any other resources that I might
> not have considered please send them my way!
> Thanks!
>
> Paul Harlow CCNA, MCP
> System and Network Administrator
> SKLD Information Services LLC
> 720 S. Colorado Blvd. Suite 1000N
> Denver, CO 80246
> (303)820-0861
> (720) 313-6125 cell
> pharlow@skld.com

Received on Wed Oct 31 2001 - 10:26:16 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:14 MST