Re: ACL advise

"squid squid" <squidusr@xxxxxxxxxxx> · Sat, 19 May 2007 12:00:29 +0800

Thank you to all who have provided the advise. Have use the deny all as the 
last entry to be on the safe side.

From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid squid <squidusr@xxxxxxxxxxx>
CC: squid-users@xxxxxxxxxxxxxxx, mark.barlow@xxxxxxxxxxxxxxx
Subject: Re:  ACL advise
Date: Sat, 19 May 2007 04:19:11 +1200

squid squid wrote:
Hi,

Thank you for the advise.

Can I have the access and deny as follows:

http_access allow group-1 group1-url
http_access allow group-1 group1-dom
http_access allow group-2 group2-url
http_access allow group-3 group3-url
http_access allow group-1 all-groups-url
http_access allow group-2 agll-groups-url
http_access allow group-3 all-groups-url
http_access allow group-1 all-groups-dom
http_access allow group-2 all-groups-dom
http_access allow group-3 all-groups-dom
http_access deny clients-seg-1
http_access deny clients-seg-2

http_access allow all

Regards.

From: "Mark Barlow" <mark.barlow@xxxxxxxxxxxxxxx>
To: "'squid squid'" <squidusr@xxxxxxxxxxx>, <squid-users@xxxxxxxxxxxxxxx>
Subject: RE:  ACL advise
Date: Fri, 18 May 2007 14:32:53 +0100

I'm no expert but from what I do know, this is what I would suggest, hope 
it
helps.

Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the 
subnet
mask would be 255.0.0.0 I suspect from what you have written above you 
mean
to use a class C netmask (255.255.255.0) on the class A IP range, in 
which
case your lines should read

acl clients-seg-1 src 10.1.1.0/24
acl clients-seg-2 src 10.1.2.0/24

You can then isolate your specific IP addresses

acl group-1 src 10.1.1.10-10.1.1.11/24
acl group-2 src 10.1.1.12-10.1.1.13/24
acl group-3 src 10.1.2.20-10.1.2.21/24

Other users not in the groups specified i.e. 10.1.3.x, etc can have 
another
acl

alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc

We then look at what pages are allowed

Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
Acl group1-dom dstdom-regex -i interdept.abc.com
Acl group2-url url-regex -i intranet.abc.com/def 
apps.intranet.abc.com/def
Acl group3-url url-regex -i intranet.abc.com/xyz 
apps.intranet.abc.com/xyz
Acl all-groups-url url-regex -i public.abc.com/abc
Acl all-groups-dom dstdom-regex -i public.def.com
Acl intranet dstdom-regex -i intranet.url

Having set up the acls now we look at the access.  These rules are 
applied
in order.

http_access allow group-1 group1-url
http_access allow group-1 group1-dom
http_access allow group-2 group2-url
http_access allow group-3 group3-url
http_access allow group-1 all-groups-url
http_access allow group-2 agll-groups-url
http_access allow group-3 all-groups-url
http_access allow group-1 all-groups-dom
http_access allow group-2 all-groups-dom
http_access allow group-3 all-groups-dom
http_access allow all-others intranet

http_access deny all

The rules get looked at in turn, unless a client matches the rule with 
it's
request it will get mopped up by the deny all (assuming you have left the
acl all src 0.0.0.0/0.0.0.0)

-----Original Message-----
From: squid squid [mailto:squidusr@xxxxxxxxxxx]
Sent: 18 May 2007 13:35
To: squid-users@xxxxxxxxxxxxxxx
Subject:  ACL advise

I would like to setup squid as follows :

Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
(http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
domain (interdept.abc.com)

Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
(http://intranet.abc.com/def and http://apps.intranet.abc.com/def)

Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
(http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)

All 3 groups can access URL http://public.abc.com/abc and domain
public.def.com

All other users in 10.1.1.x and 10.1.2.x are not allow to access 
anything.

All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can 
access
everything on the intranet.

Is my following configuration correct:

Thank you.

acl clients-seg-1 src 10.1.1.0/8
acl clients-seg-2 src 10.1.2.0/8

acl common-allow-url url_regex http://public.abc.com/abc
acl common-allow-domain dstdomain public.def.com

http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
!clients-grp3

acl clients-grp1 src 10.1.1.10 10.1.1.11
acl clients-grp1-allow-domain dstdomain interdept.abc.com
acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
http://apps.intranet.abc.com/abc

http_access allow clients-grp1 clients-grp1-allow-domain
clients-grp1-allow-url common-allow-url common-allow-domain
http_access deny clients-grp1 !clients-grp1-allow-domain
!clients-grp1-allow-url !common-allow-url !common-allow-domain

acl clients-grp2 src 10.1.1.12 10.1.1.13
acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
http://apps.intranet.abc.com/def

http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
common-allow-domain
http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
!common-allow-domain

acl clients-grp3 src 10.1.2.20 10.1.2.21
acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
http://apps.intranet.abc.com/xyz
http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
common-allow-domain
http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
!common-allow-domain

http_access allow all

That last line will allow *anyone* *anywhere* to access anything the proxy 
can resolve (all of the internet!).
Be *very* sure you want that to happen before using "allow all" as a 
default.

The earlier suggested config with an 'acl all-intranet 10.x.x.x/n ....' was 
on the mark for a much more secure proxy setup that still does what you 
want.

Amos

_________________________________________________________________
Find singles online in your area with MSN Dating and Match.com! 
http://cp.intl.match.com/eng/msn/msnsg/wbc/wbc.html