Search squid archive

Re: Composite ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Arun Shrimali wrote:
Dear All,
I am new to Linux, but I have successfuly loaded Squid 2.6.STABLE 4 on Fedora 6
I am using NCSA authentication, chpasswd and sarg for reporting.

Greetings, and well done.

However, you should upgrade that version to one at least stable 12 (current is 2.6-stable16). There are known major security bugs in the early releases.


I want Squid to

1. Use NCSA authentication. (working fine)
2. Restrict users to download files with specific extentions (working fine)

3. Allow user 'xyz' to view our organisation site only ' www.xyz.co.in'
(not working - xyz is surfing all the other sites also. How to
restrict to one site only??)

(I'm a little hazy on that, soo.. assuming your user1 acl is the one you are speaking about. And that you have defined the auth properly.)

create acl containing site:
  acl okSite dstdomain www.xyn.co.in

create access permission so user can visit ONLY sites listed in kSite ACL.
  http_access deny user !okSite

Do this BEFORE any access permissions setting 'allow'.

4. Restrict other users to xxrn site (working fine)
5. Restrict users to use messengers (yet to check)

Assuming by 'messenger' you mean a peer-to-peer chat program ...

Not entirely possible with squid. in order to control with squid the messenger itself has to use HTTP protocol or proxy. Most of them don't, or don't use proxy by default if they can.

6. Allow user 'abc' to even download and user messenger. (confuse how
to write acl?)

Key portion of squid conf is as follows:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
acl user1 proxy_auth xyz
acl site dstdomain .xyz.co.in
acl reso src 172.16.251.0/255.255.255.0

Start getting used to the idea of CIDR, netmask is going out of fashion soon despite all the examples.
   acl reso src 172.16.251.0/24

acl restricted_files urlpath_regex -i ftp \.exe$ \.zip$ \.tar.gz$
\.gz$ \.rar$ \.mp3$ \.mp4$ \.avi$ \.mpeg$ \.mpg$ \.ram$ \.rm$ \.iso$
\.wav$ \.mov$ \.tar$ \.mdb$ \.dat$
acl msn url_regex -i gateway.dll

acl yahoo url_regex -i ^http://shttp.msg.yahoo.com
acl yahoo url_regex -i ^ http://pgq.yahoo.com
acl yahoo url_regex -i ^http://mtab.games.yahoo.com
acl yahoo url_regex -i ^ http://insider.msg.yahoo.com
acl yahoo url_regex -i ^ http://address.yahoo.com
acl yahoo url_regex -i ^http://insider.msg.yahoo.com/ycontent/?
acl yahoo url_regex -i ^http://us.il.yimg.com

You should declare all of the above as acl of type 'dstdomain'.
ie:
  acl yahoo dstdomain .yahoo.com .yimg.com


acl porn url_regex "/etc/squid/xxrn.txt"
acl noporn url_regex "/etc/squid/noxxrn.txt"

Better use something like this:

  acl porn dstdomain "/etc/squid/porn-domains.txt"
  acl porn url_regex -i "/etc/squid/porn-urls.txt"


I keep pointing out to people that list like these, porn in particular),
contain a high ratio of domain:uri entries.
Domains should be listed in a dstdomain acl, URI if they really need it in a regex one.

Its a good idea to start with a split list config when your list is small enough to make the split easy. By the time it gets large enough for people to notice the regex speed problems its way too late.

(oh, and don't bother adjusting your habits to suit those with broken mail filters, just k'file them.)


http_access deny xxrn !noxxrn
http_access deny yahoo
http_access deny msn
http_access deny restricted_files
http_access allow ncsa_users
http_access allow user1 site
http_access allow reso

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

can any body help me to edit my acl to get the desired output.

Regards

Arun Shrimali


Amos

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux