On 21/10/10 02:53, Michael Knichel wrote:
I am a teacher with my own web connection for my classroom. I wish to
have ACL's that deal with my morning class differently than my
afternoon class. I have created the rules and applied them, but they
do not seem to be working. I have cleared my cache and restarted
squid but no luck.
Some Background: I am trying to make it so my "am_students" can surf
freely any time before 8:45 and after 10:30. That gives them 1/2 hr
before class starts and 15 minutes at the end to check email, forum
posts etc... At 8:45 I want to limit the sites they visit to those
found in "AM_good_sites.txt" ( entries like .somedomain.com and
.otherdomain.net ...) until 10:30. I have created my timed acl, my
dstdomain acl and my proxy_auth acl. However, it seems that this
config is not working. Any insight would be appreciated.
============================================= squid.conf
========================================
#http_port 127.0.0.1:3128 transparent
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
access_log /var/log/squid3/access.log
debug_options ALL,1
#debug_options ALL,1,33,2
dns_nameservers 208.67.222.222 208.67.220.220
#dns_nameservers 24.148.96.1 24.148.96.2
hosts_file /etc/hosts
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/basic.passwd
auth_param basic realm Q3AIT Proxy Authentication
auth_param basic children 10
auth_param basic credentialsttl 3 hour
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
Add this right here:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#acl all src 0.0.0.0/0.0.0.0
acl all src
To clear up the confusion what is supposed to be here is:
"acl all src all"
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 2349 # hvcc.edu e-library
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl our_nets src 192.168.6.0/24
# added by knichel 20090927 to require authentication
acl myAuth proxy_auth REQUIRED
#The following defines when I DON'T want them surfing freely
acl AIT1_times time MTWHF 08:45-10:30
acl AIT2_times time MTWHF 11:45-13:30
acl teacher proxy_auth {comma separated user list}
acl pm_students proxy_auth {comma separated user list}
acl am_students proxy_auth {comma separated user list}
Um. Squid uses space separators. You can remove the commas I think.
acl am_good_sites dstdomain "/etc/squid3/AM_good_sites.txt"
acl pm_good_sites dstdomain "/etc/squid3/PM_good_sites.txt"
acl bad_sites dstdomain "/etc/squid3/bad_sites.txt"
acl google_apps url_regex -i q3ait.org
The way regex works any of the students can tack "foo=q3ait.org" on
the end of the URL and get access out.
Is this a domain name?
If so use "acl google_app dstdomain .q3ait.org" to test it. Or at
minimum dstdom_regex to limit regex to the domain name.
acl GMail browser google.com/a
cache deny QUERY AM_good_sites
cache deny QUERY PM_good_sites
Remove the above two lines. They do not do what you seem to think they
do. The new refresh_pattern above replaces them.
http_access deny manager
http_access allow purge localhost
http_access deny !Safe_ports
http_access deny purge
http_access deny CONNECT !SSL_ports
# Used for updating computers, Allow All during updating...
#http_access allow all
You can simplify a bit by adding this here:
http_access deny !myAuth
... you can then remove the "myAuth" from all following lines.
# always allow users to good sites
http_access allow myAuth teacher
http_access deny bad_sites
http_access allow myAuth am_students am_good_sites
http_access allow myAuth pm_students pm_good_sites
This looks like most of your problem. You are missing the time ACL on
this allow line to say when its supposed to happen.
This should fix it:
http_access deny am_students !am_good_sites AIT1_times
http_access deny pm_students !pm_good_sites AIT2_times
http_access allow myAuth google_apps
# Deal with AM and PM separately
http_access allow am_students myAuth !AIT1_times
http_access allow pm_students myAuth !AIT2_times
# now block all other access
http_access deny all
# allow replies from inside requests...
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
visible_hostname localhost
coredump_dir /var/spool/squid3
==============================================================================================
--
Michael Knichel
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.8
Beta testers wanted for 3.2.0.2
