Henrik,
Below is our squid config. Sorry to ask stupid question again, where should
the lines go to and if I have few internet sites to be allowed, can I still
use acl dstdomain? Will these implementation affect other remote offices
that have internet access? Thanks again.
Rgds,
Jerry
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 1-65535
acl Safe_ports port 1-65535
acl NAI dstdom_regex \.nai.com$
#acl aggressivedomain url_regex -i
"c:/squid/etc/blacklists/aggressive/domains"
#http_access deny aggressivedomain
#acl proxydomain url_regex -i "c:/squid/etc/auth/proxy/domains"
#http_access allow proxydomain
#acl warezdomain url_regex -i "c:/squid/etc/blacklists/warez/domains"
#http_access deny warezdomain
acl usrgrp src "c:/squid/etc/auth/usersgrp.acl"
acl usrgrp2 proxy_auth_regex -i "c:/squid/etc/auth/usersgrp2.acl"
acl PASSWORD proxy_auth REQUIRED
#http_access deny all PASSWORD
http_access deny usrgrp2
http_access allow all PASSWORD
http_access allow usrgrp
# purge bad objects; command ex. "client -m PURGE http://www.bad.com/";
acl purgemethod method PURGE
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#http_access deny to_localhost
#http_access deny websites
http_access deny www.yahoo.com
#http_access allow all password
#http_access allow NAI all
http_access allow purgemethod localhost
http_access deny purgemethod
#http_access allow Safe_ports !SUBNETS
#http_access allow Safe_ports SUBNETS PASSWORD
# And finally deny all other access to this proxy
http_access deny all
miss_access allow all
From: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>
To: jerry khoo <klyehin@xxxxxxxxxxx>
CC: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Working with ACL
Date: Mon, 17 Apr 2006 15:36:29 +0200
mån 2006-04-17 klockan 10:10 +0000 skrev jerry khoo:
> implement on one of the remote site,example site 192.168.1.x
> The requirement is to block 80% of users from accessing internet, but
allow
> them to go to some few internet site. The remaining 20% can access
internet.
> But all 100% can access our intranet sites.
> Being new to squid, can someone give some example of the ACL
configuration
> to achieve this type of requirement or it can't be done at all?
> Many thanks in advance to all the expert out there.
What you need to remember to implement this is that http_access is an
ordered list of rules. The first matching rule applies to the request.
Then use the src and dstdomain acls to define who may go where (or
not)..
acl siteX src 192.168.1.0/24
acl allowed_sites dstdomain ...
http_access allow siteX allowed_sites
http_access deny siteX
just before where you allow the rest of the users general access..
Regards
Henrik
<< signature.asc >>
