I'm no expert but from what I do know, this is what I would suggest, hope it helps. Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on 10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the subnet mask would be 255.0.0.0 I suspect from what you have written above you mean to use a class C netmask (255.255.255.0) on the class A IP range, in which case your lines should read acl clients-seg-1 src 10.1.1.0/24 acl clients-seg-2 src 10.1.2.0/24 You can then isolate your specific IP addresses acl group-1 src 10.1.1.10-10.1.1.11/24 acl group-2 src 10.1.1.12-10.1.1.13/24 acl group-3 src 10.1.2.20-10.1.2.21/24 Other users not in the groups specified i.e. 10.1.3.x, etc can have another acl alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc We then look at what pages are allowed Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc Acl group1-dom dstdom-regex -i interdept.abc.com Acl group2-url url-regex -i intranet.abc.com/def apps.intranet.abc.com/def Acl group3-url url-regex -i intranet.abc.com/xyz apps.intranet.abc.com/xyz Acl all-groups-url url-regex -i public.abc.com/abc Acl all-groups-dom dstdom-regex -i public.def.com Acl intranet dstdom-regex -i intranet.url Having set up the acls now we look at the access. These rules are applied in order. http_access allow group-1 group1-url http_access allow group-1 group1-dom http_access allow group-2 group2-url http_access allow group-3 group3-url http_access allow group-1 all-groups-url http_access allow group-2 agll-groups-url http_access allow group-3 all-groups-url http_access allow group-1 all-groups-dom http_access allow group-2 all-groups-dom http_access allow group-3 all-groups-dom http_access allow all-others intranet http_access deny all The rules get looked at in turn, unless a client matches the rule with it's request it will get mopped up by the deny all (assuming you have left the acl all src 0.0.0.0/0.0.0.0) -----Original Message----- From: squid squid [mailto:squidusr@xxxxxxxxxxx] Sent: 18 May 2007 13:35 To: squid-users@xxxxxxxxxxxxxxx Subject: ACL advise I would like to setup squid as follows : Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs (http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1 domain (interdept.abc.com) Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs (http://intranet.abc.com/def and http://apps.intranet.abc.com/def) Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs (http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz) All 3 groups can access URL http://public.abc.com/abc and domain public.def.com All other users in 10.1.1.x and 10.1.2.x are not allow to access anything. All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can access everything on the intranet. Is my following configuration correct: Thank you. acl clients-seg-1 src 10.1.1.0/8 acl clients-seg-2 src 10.1.2.0/8 acl common-allow-url url_regex http://public.abc.com/abc acl common-allow-domain dstdomain public.def.com http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2 !clients-grp3 acl clients-grp1 src 10.1.1.10 10.1.1.11 acl clients-grp1-allow-domain dstdomain interdept.abc.com acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc http://apps.intranet.abc.com/abc http_access allow clients-grp1 clients-grp1-allow-domain clients-grp1-allow-url common-allow-url common-allow-domain http_access deny clients-grp1 !clients-grp1-allow-domain !clients-grp1-allow-url !common-allow-url !common-allow-domain acl clients-grp2 src 10.1.1.12 10.1.1.13 acl clients-grp2-allow-url url_regex http://intranet.abc.com/def http://apps.intranet.abc.com/def http_access allow clients-grp2 clients-grp2-allow-url common-allow-url common-allow-domain http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url !common-allow-domain acl clients-grp3 src 10.1.2.20 10.1.2.21 acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz http://apps.intranet.abc.com/xyz http_access allow clients-grp3 clients-grp3-allow-url common-allow-url common-allow-domain http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url !common-allow-domain http_access allow all _________________________________________________________________ Get the new Windows Live Messenger! http://get.live.com/messenger/overview
