[squid-users] Consolidating Access Control Lists

From: Robert Adkins <raa@dont-contact.us>
Date: Fri, 30 Aug 2002 15:42:00 -0400

Hello Everyone,

        Below, you will find two excerpts out of my squid.conf file. The ACL and
the http_access section. As you can tell, this is configured to allow
only a small number of users to access the internet. There is also a
configuration to allow certain users to access the net, only during their
lunch period. I initially had this configured to allow all authorized
users to be able to authenticate and surf the internet and then added the
two users, who previously had no access to the internet.

        Once I had done this, they were able to surf the net. I tested the
configuration to make sure that they weren't going outside of their
allowed time and discovered that the logins were still able to surf the
net. This is because they were also authenticated users. So, I have had
to add an ACL for all users on the network and then create http_access
for those users, as shown below.

        This is working fine. The only problem is, I would rather not have to
add more lines to the squid.conf as time goes on. Also, if there were
hundreds of unimpaired users, or conversely hundreds of users to be
impaired in their surfing, this would become very unrealistic to
maintain.

        So, I am curious to know what other people have done to overcome this
issue and any suggestions to make this proxy management more streamlined
and maintainable.

         Thanks in advance.

************************ Begin ACL Section
#
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl users proxy_auth REQUIRED
acl porn url_regex "/usr/local/squid/etc/porn"
acl noporn url_regex "/usr/local/squid/etc/noporn"
acl USER1 proxy_auth <user_name>
acl USER2 proxy_auth <user_name>
acl USER3 proxy_auth <user_name>
acl USER4 proxy_auth <user_name>
acl USER5 proxy_auth <user_name>
acl USER6 proxy_auth <user_name>
acl USER7 proxy_auth <user_name>
acl USER8 proxy_auth <user_name>
acl LUNCH time 11:45-12:45

************************ Begin http_access section

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow USER3
http_access allow USER4
http_access allow USER5
http_access allow USER6
http_access allow USER7
http_access allow USER8
http_access allow noporn all
http_access deny porn all
http_access allow USER1 LUNCH
http_access deny USER1
http_access allow USER2 LUNCH
http_access deny USER2

************************* End squid.conf Excerpt

Regards,
Robert Adkins
IT Manager/Buyer
IMPEL Industries, Inc.
Office: 586-254-5800
Received on Fri Aug 30 2002 - 13:45:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:54 MST