Re: [squid-users] Nagging problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 18 Mar 2009 00:18:05 +1300

Jagdish Rao wrote:
> Hi,
>
> Squid ACL does not seem to work properly. I have created a ACL for code
> project and it does not seem to work. Can anyone help ?
>
> Excerpts from squid.conf
>
> ############# SQUID DEFAULTS ############
> http_port 8000
> #hierarchy_stoplist cgi-bin ?
> #acl QUERY urlpath_regex cgi-bin \?
> #no_cache deny QUERY
> cache_log /var/log/squid/cache.log
> debug_options ALL,1 33,2
> debug_options ALL,1

The second debug_options overrides the first. To get your trace properly
comment the second entry out.

>
> ############ AUTHENTICATIONS ###########
>
> auth_param basic program /usr/lib/squid/ncsa_auth
> /etc/squid/data/valid-users
> auth_param basic children 5
> auth_param basic realm Accord-Soft Proxy-caching Web Server
> auth_param basic credentialsttl 2 hour
> auth_param basic casesensitive off
>
> request_body_max_size 50 KB
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> ########### ACCESS CONTROLS ###########
>
>
> #### Format for Access Controls ####
> ## <acl username proxy_auth user id>
> ## <acl usertime time 9:00 - 14:00>
> ## <acl userurl url_regex website>
> ## <http_access allow username usertime userurl>
>
> acl password proxy_auth REQUIRED
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
>
> ########## USER DEFINED ACLS ###########
> #---------------------------------------
>
> ## Authenticating Users #######
> #------------------------------
> acl cdprjuser proxy_auth codeproject
>
> #### ACL TIMINGS #######
> #-----------------------
> acl codeprj time 9:00-17:00
>
> ### ACL for Codeproj ######
> #--------------------------
> #acl cdprjuser url_regex "/etc/squid/data/codeprj-sites"
> acl cdprjurl url_regex codeproject.com
> acl cdprjurl url_regex msdn2.microsoft.com
> acl cdprjurl url_regex msdn.microsoft.com
> acl cdprjurl url_regex msdn.com
> acl cdprjurl url_regex smartworks.us
> acl cdprjurl url_regex installshield.com
> acl cdprjurl url_regex asp.net
> acl cdprjurl url_regex ajax.asp.net
> acl cdprjurl url_regex rodrickbrown.com
> acl cdprjurl url_regex csharp-station.com
> acl cdprjurl url_regex csharpcomputing.com
> acl cdprjurl url_regex albahari.com
> acl cdprjurl url_regex c-sharpcorner.com
> acl cdprjurl url_regex devsource.com
> acl cdprjurl url_regex developerfusion.co.uk

gah!!!
make these all "dstdomain" type for an order of magnitude speed increase.

>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> ### Access Goes Here #######
> #---------------------------
> http_access allow cdprjuser codeprj cdprjurl
> .
> .
> .
> http_access deny all
>
> cache_mgr netadmin_at_accord-soft.com
> visible_hostname squid.accord-soft.com
>
>
>
>
> Any help would be appreciated.
>
> Thanks
>
> Regards
>
> Jagdish
>

How does that not work?

You configured: anyone logging in as user "codeproject" with any
password gets access from 9am to 5pm to any URL containing a list of
domain names.

For examples:
   anyone can send your squid User/pass codeproject:fubar
http://www.google.com/search?q=free+porn&foo=asp.net at 2pm and get the
search results page back.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6
Received on Tue Mar 17 2009 - 11:17:26 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 17 2009 - 12:00:03 MDT