Let me layout my acls.
1. We use authentication for everything but a few sites. As I'm sure most squid-users have encountered, there are a number of sites (mainly software update programs) that don't play well with authentication so I have created a noauth acl which allow any user on the internal source to browse to without authentication.
2. We do completely ban some sites (mainly pornographic).
3. My internal source is 192.168.0.0/16
SO... Here's all my acls:
proxy1 = firewall (192.168.1.13)
proxy2 = private vpn network (192.168.1.4)
cache_peer proxy2 parent 3128 0 proxy-only allow-miss no-query
acl all src 0.0.0.0/0.0.0.0
acl internal_src src 192.168.0.0/255.255.0.0 # Internal Network
acl int_domain srcdomain mydomain.int # Internal Domain
acl int_short url_regex ^http://[^\.]*/
acl carenet_dsta srcdomain nsh.dcnhs.org # VPN Network Domain
acl carenet_dstb dst 100.0.0.0/8 # VPN Ip Network
no_cache deny carenet_dsta # Don't cache anything from the VPN
no_cache deny carenet_dstb # Don't cache anything from the VPN
acl careauth proxy_auth "carenet_users" # User list for the accessing the VPN Site
acl onesourceauth proxy_auth "onesrc_users" # Restrict Some users to specific Internet Sites
acl onesource_dst dstdom_regex "onesrc_dst" # List of sites for these Restricted Users
acl noauth_sites dstdom_regex "noauth_sites" # Sites which are accessible to Everyone with no Auth
acl banned_sites dstdom_regex "banned_sites" # Sited restricted to everyone!!
acl allowedusers proxy_auth REQUIRED # Authenticate Everyone
http_access deny banned_sites
http_access allow noauth_sites
http_access deny onesourceauth !onesource_dst
http_access deny carenet_dsta carenet_dstb !careauth
never_direct allow carenet_dsta
never_direct allow carenet_dstb
http_access allow internal_src allowedusers !onesourceauth
http_access deny all
cache_peer_access proxy2 allow all
My thought process for the http_allow:
A. Deny internal_src or all access to the banned sites
B. Allow everyone access to the noauth sites (some are internal like our intranet)
C. If the authenticated user in listed in the onesourceauth, allow then access to just oncesource_dst only!
B. If the authenticated uses in listed in the careauth, allow access to carenet* and anywhere else.
D. Allow all remaining authenticated users.
I am not the best with acl rules so any suggestions would be appreciated!
Vernon Fort
-----Original Message-----
From: Henrik Nordstrom [mailto:hno@marasystems.com]
Sent: Sunday, March 31, 2002 9:59 AM
To: Vernon A. Fort
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Two Instances of Squid
"Vernon A. Fort" wrote:
> The only question I still have is how to write a regex expression that will match either a domain name or ipaddress/mask in one file. This is the reason for the dsta and dstb acl lines. If anyone wants my conf files, I will send via private email.
Don't. Use the dstdomain and dst ACL types, prefering "dstdomain" as
first http_access rule.
And I think you made the same error on source vs destination in the
posted ruleset.. (you were using srcdomain, where I think you meant to
use dstdomain).
Regards
Henrik
Received on Mon Apr 01 2002 - 07:05:57 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:18 MST