Re: ACL advise

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

squid squid wrote:
> Hi,
>
> Thank you for the advise.
>
> Can I have the access and deny as follows:
>
> http_access allow group-1 group1-url
> http_access allow group-1 group1-dom
> http_access allow group-2 group2-url
> http_access allow group-3 group3-url
> http_access allow group-1 all-groups-url
> http_access allow group-2 agll-groups-url
> http_access allow group-3 all-groups-url
> http_access allow group-1 all-groups-dom
> http_access allow group-2 all-groups-dom
> http_access allow group-3 all-groups-dom
> http_access deny clients-seg-1
> http_access deny clients-seg-2
>
> http_access allow all
>
> Regards.
>
> > From: "Mark Barlow" <mark.barlow@xxxxxxxxxxxxxxx>
> > To: "'squid squid'" <squidusr@xxxxxxxxxxx>, <squid-users@xxxxxxxxxxxxxxx>
> > Subject: RE:  ACL advise
> > Date: Fri, 18 May 2007 14:32:53 +0100
> >
> > I'm no expert but from what I do know, this is what I would suggest, 
> > hope it
> > helps.
> >
> > Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
> > 10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the 
> > subnet
> > mask would be 255.0.0.0 I suspect from what you have written above you 
> > mean
> > to use a class C netmask (255.255.255.0) on the class A IP range, in 
> > which
> > case your lines should read
> >
> > acl clients-seg-1 src 10.1.1.0/24
> > acl clients-seg-2 src 10.1.2.0/24
> >
> > You can then isolate your specific IP addresses
> >
> > acl group-1 src 10.1.1.10-10.1.1.11/24
> > acl group-2 src 10.1.1.12-10.1.1.13/24
> > acl group-3 src 10.1.2.20-10.1.2.21/24
> >
> > Other users not in the groups specified i.e. 10.1.3.x, etc can have 
> > another
> > acl
> >
> > alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc
> >
> > We then look at what pages are allowed
> >
> > Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
> > Acl group1-dom dstdom-regex -i interdept.abc.com
> > Acl group2-url url-regex -i intranet.abc.com/def 
> > apps.intranet.abc.com/def
> > Acl group3-url url-regex -i intranet.abc.com/xyz 
> > apps.intranet.abc.com/xyz
> > Acl all-groups-url url-regex -i public.abc.com/abc
> > Acl all-groups-dom dstdom-regex -i public.def.com
> > Acl intranet dstdom-regex -i intranet.url
> >
> > Having set up the acls now we look at the access.  These rules are 
> > applied
> > in order.
> >
> > http_access allow group-1 group1-url
> > http_access allow group-1 group1-dom
> > http_access allow group-2 group2-url
> > http_access allow group-3 group3-url
> > http_access allow group-1 all-groups-url
> > http_access allow group-2 agll-groups-url
> > http_access allow group-3 all-groups-url
> > http_access allow group-1 all-groups-dom
> > http_access allow group-2 all-groups-dom
> > http_access allow group-3 all-groups-dom
> > http_access allow all-others intranet
> >
> > http_access deny all
> >
> > The rules get looked at in turn, unless a client matches the rule with 
> > it's
> > request it will get mopped up by the deny all (assuming you have left the
> > acl all src 0.0.0.0/0.0.0.0)
> >
> >
> >
> > -----Original Message-----
> > From: squid squid [mailto:squidusr@xxxxxxxxxxx]
> > Sent: 18 May 2007 13:35
> > To: squid-users@xxxxxxxxxxxxxxx
> > Subject:  ACL advise
> >
> > I would like to setup squid as follows :
> >
> > Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
> > (http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
> > domain (interdept.abc.com)
> >
> > Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
> > (http://intranet.abc.com/def and http://apps.intranet.abc.com/def)
> >
> > Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
> > (http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)
> >
> > All 3 groups can access URL http://public.abc.com/abc and domain
> > public.def.com
> >
> > All other users in 10.1.1.x and 10.1.2.x are not allow to access 
> > anything.
> >
> > All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can 
> > access
> > everything on the intranet.
> >
> > Is my following configuration correct:
> >
> > Thank you.
> >
> > acl clients-seg-1 src 10.1.1.0/8
> > acl clients-seg-2 src 10.1.2.0/8
> >
> >
> > acl common-allow-url url_regex http://public.abc.com/abc
> > acl common-allow-domain dstdomain public.def.com
> >
> > http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
> > !clients-grp3
> >
> > acl clients-grp1 src 10.1.1.10 10.1.1.11
> > acl clients-grp1-allow-domain dstdomain interdept.abc.com
> > acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
> > http://apps.intranet.abc.com/abc
> >
> > http_access allow clients-grp1 clients-grp1-allow-domain
> > clients-grp1-allow-url common-allow-url common-allow-domain
> > http_access deny clients-grp1 !clients-grp1-allow-domain
> > !clients-grp1-allow-url !common-allow-url !common-allow-domain
> >
> >
> > acl clients-grp2 src 10.1.1.12 10.1.1.13
> > acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
> > http://apps.intranet.abc.com/def
> >
> > http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
> > common-allow-domain
> > http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
> > !common-allow-domain
> >
> >
> > acl clients-grp3 src 10.1.2.20 10.1.2.21
> > acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
> > http://apps.intranet.abc.com/xyz
> > http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
> > common-allow-domain
> > http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
> > !common-allow-domain
> >
> >
> > http_access allow all

That last line will allow *anyone* *anywhere* to access anything the 
proxy can resolve (all of the internet!).
Be *very* sure you want that to happen before using "allow all" as a 
default.

The earlier suggested config with an 'acl all-intranet 10.x.x.x/n ....' 
was on the mark for a much more secure proxy setup that still does what 
you want.

Amos