tony.carter@xxxxxxxxxxxxxxxxxxx wrote:
squid 2.7 STABLE4
We have a situation where we want to, on a single proxy server, keep a
student subnet limited to internet access only while the remainder of the
organisation can access both internal networks and the internet. Currently
we have acls and http_access rules set up for internal users only
Is it possible to specify both a src and dst acl in one http_access rule,
ie, in one rule can I specify both src and dst limitations for the student
subnet
eg,
acl limitedsrc src [IP Range...]
acl limiteddst dst [IP Range...]
http_access allow limitedsrc limiteddst
I tried it out and it doesn't seem to work but I'd like to get some
feedback on how I can best configure this. I checked the ACL FAQ on
squid.org but nothing jumped out.
Two problems jump out:
Firstly, you say students are allowed general internet access. Then
your rule only permits them to a small subset. Did you mean to actually
configure all the non-you public Internet IP ranges in that ACL?
What I'd expect to see for that policy as stated is a "localnet" ACL
defining what the local ranges are. This way you permit access to
!localnet (not-local being the rest of the Internet).
You also forgot the http_access rule that penalizes them for bad access.
As I understand those policies your config needs to be ordered like this:
## Policy: "student subnet limited to internet access only"
acl limitedsrc src [IP Range...]
acl limiteddst dst [IP ranges...]
http_access allow limitedsrc !limiteddst
http_access deny limitedsrc
## Policy: "rest of the orgnization is not limited"
http_access allow localnet
## followed by the blanket safety net
http_access deny all
PS: these of course all go underneath the "deny !Safe_ports" and "deny
CONNECT !SSL_ports" safety rules.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.5
