Re: [squid-users] Filter by time and white-black lists

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Mon, 21 Jan 2013 11:22:40 -0200

Although Squid ACLs can do almost anything they are not the simplest
thing to configure. A URL redirector like ufdbGuard offloads work from Squid
and can do the same thing using a more intuitive configuration:

source admin {
    ip 10.77.88.47
}
source managers {
    ip 10.77.88.42-10.77.88.46
}
source classroom {
    ip 10.77.88.1-10.77.88.41
}
category whitelist01 {
    domainlist ".../whitelist01/domains"
}
category blacklist01 {
    domainlist ".../blacklist01/domains"
}
time workinghours {
    weekly mon,tue,wed,thu,fri 09:00 - 17:00
}
acl {
    admin { pass any }
    managers within workinghours { pass whitelist01 none } else { pass none }
    classroom within workinghours { pass !blacklist01 any } else { pass none }
    default { pass none }
}

Marcus

On 01/21/2013 07:33 AM, Helmut Hullen wrote:
> Hallo, Artur,
>
> Du meintest am 21.01.13:
>
>> I've tried many times and I can not do it, please help :(
>
>> I have 2 classrooms total 40 PC's
>> +5 manager PC's
>> +1 administrator
>> So IP range is
>> 10.77.88.1-10.77.88.41 - for classroom
>> 10.77.88.42-10.77.88.46 - for managers
>> 10.77.88.47 - admin
>
>> Task:
>> 1)Internet only for this 46 hosts 10.77.88.1-10.77.88.47
>> 2)Classroom and managers can access internet only workdays from 9 to
>> 17
>> 3)Classroom have blacklist of sites in file for what access is
>> denied
>> 4)Managers only can visit white list sites in file, all other
>> blocked
>> 5)Admin can visit any web at any time
>> 6)In weekends (A S) access only by authentification
>
>> Iam new to squid so I have difficulty to do this, I was able to set
>> access by days and time for one range, but how to join this with
>> white black list and other ranges for manager and admin +
>> authentication o_o I dont get how this http_access deny access work,
>> in what order, can someone provide solution for my task?I will be
>> very grateful
>
> You seem to live in germany, perhaps you should look at "linux-user" 2/
> 2013, p. 16 ... 20 ("Squid als Spiel- und Social-Network-Bremse").
>
>
> I'd try the following "http_access" order (untested):
>
> acl localnet src 10.77.88.1-10.77.88.47
> acl admin 10.77.88.47
> http_access deny !localnet
> # all others get fired
>
> acl admin 10.77.88.47
> http_access allow admin
> # they are privileged
>
> acl blacklist src "/etc/squid/blacklist"
> acl schueler 10.77.88.1-10.77.88.41
> http_access allow !schueler
> # managers have more rights
> # you may define a special acl for managers; it's not necessary in this
> # example
>
> http_access allow schueler !blacklist
> # pupils are restricted
>
> http_access deny all
> # all other cases
>
> -------------------------
>
> The time restrictions are not implemented; take a look at listing 1 in
> the above mentioned article.
>
> Viele Gruesse!
> Helmut
>
>
Received on Mon Jan 21 2013 - 13:22:50 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 22 2013 - 12:00:04 MST