Re: Help customizing ACLs sites with destination ports

[Chris Robertson <crobertson@xxxxxxx>]

Matthew Young wrote:
> Hello,
>
> Iam trying to default deny ALL ports, and then allow access to two
> type of users.
>
> a:) Users that can connect anywhere to port 80 and 443.
> b.) Users that can connect only to an allowed lists and only to PORT
> 80 on that allowed list, and connect to port 443 for gmail.com only.
>
>
> So far I have something like this.. but then this user can connect to
> https://192.168.1.6 which i dont want, they should only be for port
> 80.
> acl allowed url_regex .google.com .gstatic.com .gmail.com 192.168.1.6
>   

Should probably be either a dstdom_regex, or dstdomain.

> acl ac_laptop2_wireless arp 00:90:4b:71:21:a8
>   
acl Port80 port 80
> http_access allow allowed ac_laptop2_wireless
>   

Replace this http_access with...

http_access allow allowed ac_laptop2_wireless Port80
http_access deny ac_laptop2_wireless

...with the understanding that it's trivial to spoof MAC addresses.

> My complete config is as follows...  Thanks in advance to whom can help me!
>
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> icp_access allow localnet
> icp_access deny all
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> access_log /var/squid/logs/access.log squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> acl ac_laptop1_wireless arp 00:1f:3c:cd:47:60
> acl allowed url_regex .google.com .gstatic.com .gmail 192.168.1.6
> acl ac_laptop2_wireless arp 00:90:4b:74:21:a8
> http_access allow allowed ac_laptop2_wireless
> http_access deny all
> broken_vary_encoding allow apache
> forwarded_for off
> coredump_dir /var/squid/cache
> deny_info ERR_ACCESS_DENIED allowed
>
>
> --Matt
>   

Chris