Re: [squid-users] Filter by time and white-black lists

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 22 Jan 2013 17:10:36 +1300

On 22/01/2013 2:22 a.m., Marcus Kool wrote:
> Although Squid ACLs can do almost anything they are not the simplest
> thing to configure. A URL redirector like ufdbGuard offloads work
> from Squid
> and can do the same thing using a more intuitive configuration:
>

I don't see how {} syntax with lots of "pass none" inside else
conditions can be more intuitive.
Note the following direct 1:1 translation of UFDB syntax into Squid syntax.

Also, the overheads of using the URL redirector interface to Squid place
a lot of limitations on what transaction details can be tested for and
additional processing Squid must perform in order to utilize the helpers
results.

PS. if this is the main pull ufdbGuard has nowdays would you consider
joining the squid dev team and helping the efforts to further improve
the squid.conf syntax, parse, and ACL processing?

> source admin {
> ip 10.77.88.47
> }

acl admin src 10.77.88.47

> source managers {
> ip 10.77.88.42-10.77.88.46
> }

acl managers src 10.77.88.42-10.77.88.46

> source classroom {
> ip 10.77.88.1-10.77.88.41
> }

acl classroom src 10.77.88.1-10.77.88.41

> category whitelist01 {
> domainlist ".../whitelist01/domains"
> }

acl whitelist01 dstdomain ".../whitelist01/domains"

>
> category blacklist01 {
> domainlist ".../blacklist01/domains"
> }
acl blacklist01 dstdomain ".../blacklist01/domains"

> time workinghours {
> weekly mon,tue,wed,thu,fri 09:00 - 17:00
> }
acl workinghours time MTWHF 0900-17:00

> acl {
> admin { pass any }

http_access allow admin

> managers within workinghours { pass whitelist01 none } else { pass none }
http_access allow managers workinghours whitelist01

> classroom within workinghours { pass !blacklist01 any } else { pass
> none }

http_access allow classroom workinghours !blacklist01

> default { pass none }

http_access deny all

> }
>
> Marcus
>
>
> On 01/21/2013 07:33 AM, Helmut Hullen wrote:
>> Hallo, Artur,
>>
>> Du meintest am 21.01.13:
>>
>>> I've tried many times and I can not do it, please help :(
>>
>>> I have 2 classrooms total 40 PC's
>>> +5 manager PC's
>>> +1 administrator
>>> So IP range is
>>> 10.77.88.1-10.77.88.41 - for classroom
>>> 10.77.88.42-10.77.88.46 - for managers
>>> 10.77.88.47 - admin
>>
>>> Task:
>>> 1)Internet only for this 46 hosts 10.77.88.1-10.77.88.47
>>> 2)Classroom and managers can access internet only workdays from 9 to
>>> 17
>>> 3)Classroom have blacklist of sites in file for what access is
>>> denied
>>> 4)Managers only can visit white list sites in file, all other
>>> blocked
>>> 5)Admin can visit any web at any time
>>> 6)In weekends (A S) access only by authentification
>>
>>> Iam new to squid so I have difficulty to do this, I was able to set
>>> access by days and time for one range, but how to join this with
>>> white black list and other ranges for manager and admin +
>>> authentication o_o I dont get how this http_access deny access work,
>>> in what order, can someone provide solution for my task?I will be
>>> very grateful
>>
>> You seem to live in germany, perhaps you should look at "linux-user" 2/
>> 2013, p. 16 ... 20 ("Squid als Spiel- und Social-Network-Bremse").
>>
>>
>> I'd try the following "http_access" order (untested):
>>
>> acl localnet src 10.77.88.1-10.77.88.47
>> acl admin 10.77.88.47
>> http_access deny !localnet
>> # all others get fired
>>
>> acl admin 10.77.88.47
>> http_access allow admin
>> # they are privileged
>>
>> acl blacklist src "/etc/squid/blacklist"
>> acl schueler 10.77.88.1-10.77.88.41
>> http_access allow !schueler
>> # managers have more rights
>> # you may define a special acl for managers; it's not necessary in this
>> # example
>>
>> http_access allow schueler !blacklist
>> # pupils are restricted
>>
>> http_access deny all
>> # all other cases
>>
>> -------------------------
>>
>> The time restrictions are not implemented; take a look at listing 1 in
>> the above mentioned article.
>>
>> Viele Gruesse!
>> Helmut
>>
>>
Received on Tue Jan 22 2013 - 04:11:02 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 22 2013 - 12:00:04 MST