Re: [squid-users] ACL advise

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 19 May 2007 04:19:11 +1200

squid squid wrote:
> Hi,
>
> Thank you for the advise.
>
> Can I have the access and deny as follows:
>
> http_access allow group-1 group1-url
> http_access allow group-1 group1-dom
> http_access allow group-2 group2-url
> http_access allow group-3 group3-url
> http_access allow group-1 all-groups-url
> http_access allow group-2 agll-groups-url
> http_access allow group-3 all-groups-url
> http_access allow group-1 all-groups-dom
> http_access allow group-2 all-groups-dom
> http_access allow group-3 all-groups-dom
> http_access deny clients-seg-1
> http_access deny clients-seg-2
>
> http_access allow all
>
> Regards.
>
>> From: "Mark Barlow" <mark.barlow@freepower.co.uk>
>> To: "'squid squid'" <squidusr@hotmail.com>, <squid-users@squid-cache.org>
>> Subject: RE: [squid-users] ACL advise
>> Date: Fri, 18 May 2007 14:32:53 +0100
>>
>> I'm no expert but from what I do know, this is what I would suggest,
>> hope it
>> helps.
>>
>> Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
>> 10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the
>> subnet
>> mask would be 255.0.0.0 I suspect from what you have written above you
>> mean
>> to use a class C netmask (255.255.255.0) on the class A IP range, in
>> which
>> case your lines should read
>>
>> acl clients-seg-1 src 10.1.1.0/24
>> acl clients-seg-2 src 10.1.2.0/24
>>
>> You can then isolate your specific IP addresses
>>
>> acl group-1 src 10.1.1.10-10.1.1.11/24
>> acl group-2 src 10.1.1.12-10.1.1.13/24
>> acl group-3 src 10.1.2.20-10.1.2.21/24
>>
>> Other users not in the groups specified i.e. 10.1.3.x, etc can have
>> another
>> acl
>>
>> alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc
>>
>> We then look at what pages are allowed
>>
>> Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
>> Acl group1-dom dstdom-regex -i interdept.abc.com
>> Acl group2-url url-regex -i intranet.abc.com/def
>> apps.intranet.abc.com/def
>> Acl group3-url url-regex -i intranet.abc.com/xyz
>> apps.intranet.abc.com/xyz
>> Acl all-groups-url url-regex -i public.abc.com/abc
>> Acl all-groups-dom dstdom-regex -i public.def.com
>> Acl intranet dstdom-regex -i intranet.url
>>
>> Having set up the acls now we look at the access. These rules are
>> applied
>> in order.
>>
>> http_access allow group-1 group1-url
>> http_access allow group-1 group1-dom
>> http_access allow group-2 group2-url
>> http_access allow group-3 group3-url
>> http_access allow group-1 all-groups-url
>> http_access allow group-2 agll-groups-url
>> http_access allow group-3 all-groups-url
>> http_access allow group-1 all-groups-dom
>> http_access allow group-2 all-groups-dom
>> http_access allow group-3 all-groups-dom
>> http_access allow all-others intranet
>>
>> http_access deny all
>>
>> The rules get looked at in turn, unless a client matches the rule with
>> it's
>> request it will get mopped up by the deny all (assuming you have left the
>> acl all src 0.0.0.0/0.0.0.0)
>>
>>
>>
>> -----Original Message-----
>> From: squid squid [mailto:squidusr@hotmail.com]
>> Sent: 18 May 2007 13:35
>> To: squid-users@squid-cache.org
>> Subject: [squid-users] ACL advise
>>
>> I would like to setup squid as follows :
>>
>> Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
>> (http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
>> domain (interdept.abc.com)
>>
>> Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
>> (http://intranet.abc.com/def and http://apps.intranet.abc.com/def)
>>
>> Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
>> (http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)
>>
>> All 3 groups can access URL http://public.abc.com/abc and domain
>> public.def.com
>>
>> All other users in 10.1.1.x and 10.1.2.x are not allow to access
>> anything.
>>
>> All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can
>> access
>> everything on the intranet.
>>
>> Is my following configuration correct:
>>
>> Thank you.
>>
>> acl clients-seg-1 src 10.1.1.0/8
>> acl clients-seg-2 src 10.1.2.0/8
>>
>>
>> acl common-allow-url url_regex http://public.abc.com/abc
>> acl common-allow-domain dstdomain public.def.com
>>
>> http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
>> !clients-grp3
>>
>> acl clients-grp1 src 10.1.1.10 10.1.1.11
>> acl clients-grp1-allow-domain dstdomain interdept.abc.com
>> acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
>> http://apps.intranet.abc.com/abc
>>
>> http_access allow clients-grp1 clients-grp1-allow-domain
>> clients-grp1-allow-url common-allow-url common-allow-domain
>> http_access deny clients-grp1 !clients-grp1-allow-domain
>> !clients-grp1-allow-url !common-allow-url !common-allow-domain
>>
>>
>> acl clients-grp2 src 10.1.1.12 10.1.1.13
>> acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
>> http://apps.intranet.abc.com/def
>>
>> http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
>> common-allow-domain
>> http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
>> !common-allow-domain
>>
>>
>> acl clients-grp3 src 10.1.2.20 10.1.2.21
>> acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
>> http://apps.intranet.abc.com/xyz
>> http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
>> common-allow-domain
>> http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
>> !common-allow-domain
>>
>>
>> http_access allow all

That last line will allow *anyone* *anywhere* to access anything the
proxy can resolve (all of the internet!).
Be *very* sure you want that to happen before using "allow all" as a
default.

The earlier suggested config with an 'acl all-intranet 10.x.x.x/n ....'
was on the mark for a much more secure proxy setup that still does what
you want.

Amos
Received on Fri May 18 2007 - 10:19:25 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT