On 11/05/2016 12:53 a.m., TarotApprentice wrote: > I'm trying to restrict internet access of certain devices to certain > times of the day. My config looks like: acl devicename1 arp > aa:bb:cc:dd:ee:ffacl devicename2 arp aa:bb:cc:ff:ee:ddacl usertime > time MTWHF 06:30-08:00acl usertime time MTWHF 18:00-22:30 http_access > allow devicename1 usertimehttp_access allow devicename2 > usertimehttp_access deny devicename > I'm using squid 3.5.17 (the > latest in Debian Stretch). The client devices are using the proxy in > explicit mode. devicename1 and devicename2 currently are getting > dynamic IP's but I can set the router up to give a static IPv4 > address and use that instead of the mac address. > From reading the > docs it seems arp (the mac address) isn't available if they use > IPv6. Correct. Sort of. ARP does not exist in IPv6, but EUI does. If your network uses SLAAC or DHCPv6 assignments based on the MAC / EUI-64 then Squid can grab the EUI from the IPv6 address. The arp ACL uses that for v6 clients when available. Otherwise you will need static DHCPv6 assignments and src ACL. > Also if they're using an https site it isn't going to work unless I > start peeking. Neither time nor arp types depend on TLS. So the ACLs should work okay for what they do - just not ideal for what you want to achieve. HTTPS without bumping just means that your ability to reject is at the connection/tunnel level rather than individual requests. At present it should be a reasonable approximation as most browsers dont send many requests through before closing. That will change as HTTP/2 rollout increases, since it is designed to maximize connection re-use. > Is there a better way of restricting the access to the > allowed times for both http and https traffic? Not without bumping to get at the individual HTTPS requests. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
