Search squid archive

RE: [squid-users] SQUID- ACL for different time frame for differe nt block of IP addresses.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Original Message-----
> From: thomas [mailto:thomas.xavier@xxxxxxxxx]
> Sent: Tuesday, February 08, 2005 8:16 AM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject: [squid-users] SQUID- ACL for different time frame for different
> block of IP addresses.
> 
> 
> Dear All
> Requirement has arisen to provide access to a group of machine
> categorized based on IP address.
> 
> ACL created is as follows:-
> 
> acl fulltime_ip 10.10.10.40-10.10.10.254
> acl slot1_ip src 10.10.10.25   10.10.10.30    10.10.10.35
> acl slot1_time time 08:00-10:00
> acl slot2_ip src 10.10.10.39   10.10.10.40 10.10.10.41
> acl slot2_time time 10:00-12:00
> acl CONNECT method CONNECT
> acl ncsa_users proxy_auth REQUIRED
> 
> HTTP_ACCESS statements are as follows:-
> 
> http_access allow localhost
> http_access allow ncsa_users
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All authenticated users (no matter the IP or the time, source or
destination) are allowed access

> http_access allow slot1_ip slot1_time
> http_access allow slot2_ip slot2_time
> http_access allow fulltime_ip
> http_access allow Safe_ports
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Everyone (no matter the IP or the time) is allowed access to Safe_ports

> http_reply_access allow all
> icp_access allow all
> miss_access allow all
> http_access allow SSL_ports
> http_access deny all
> 
> Q1= With above ACL and http_access, machines are not getting denied
> though they are supposed to be denied apart from their specified time
> slot.
> 
> Q2= Is the http_access sequence OK? If not what should be?
> 
> Q3= Please suggest better way of doing the same?
> 
> Q4= Similar to http_access sequence, should I have to take care of acl
> statement sequence too?
> 
> TIA

This is probably how you want to do it:

http_access deny !Safe_ports  # Deny anyone from accessing a "non-safe" port
http_access deny CONNECT !SSL_ports # Deny CONNECT requests to non-SSL ports
http_access deny !ncsa_auth   # Require authentication
http_access allow localhost   # Allow surfing from the local machine (with
authentication)
http_access allow slot1_ip slot1_time  # Allow slot1 IPs during their time
(with authentication)
http_access allow slot2_ip slot2_time  # Allow slot2 IPs during their time
(with authentication)
http_access allow fulltime_ip # Allow fulltime IPs anytime (with
authentication)
http_access deny all          # Just for clarity


icp_access is only useful (to the best of my knowledge) if you have sibling
or child caches.
http_reply_access only needs to be specifically allowed if you are denying
some.


Chris
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux