Re: [squid-users] Working with ACL

Henrik,

Below is our squid config. Sorry to ask stupid question again, where should
the lines go to and if I have few internet sites to be allowed, can I still
use acl dstdomain? Will these implementation affect other remote offices
that have internet access? Thanks again.

Rgds,
Jerry

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 1-65535
acl Safe_ports port 1-65535
acl NAI dstdom_regex \.nai.com$

#acl aggressivedomain url_regex -i
"c:/squid/etc/blacklists/aggressive/domains"
#http_access deny aggressivedomain

#acl proxydomain url_regex -i "c:/squid/etc/auth/proxy/domains"
#http_access allow proxydomain

#acl warezdomain url_regex -i "c:/squid/etc/blacklists/warez/domains"
#http_access deny warezdomain
acl usrgrp src "c:/squid/etc/auth/usersgrp.acl"
acl usrgrp2 proxy_auth_regex -i "c:/squid/etc/auth/usersgrp2.acl"
acl PASSWORD proxy_auth REQUIRED
#http_access deny all PASSWORD
http_access deny usrgrp2
http_access allow all PASSWORD
http_access allow usrgrp

# purge bad objects; command ex. "client -m PURGE http://www.bad.com/"
acl purgemethod method PURGE

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

#http_access deny to_localhost

#http_access deny websites
http_access deny www.yahoo.com
#http_access allow all password
#http_access allow NAI all
http_access allow purgemethod localhost
http_access deny purgemethod
#http_access allow Safe_ports !SUBNETS
#http_access allow Safe_ports SUBNETS PASSWORD

# And finally deny all other access to this proxy
http_access deny all

miss_access allow all

>From: Henrik Nordstrom <henrik@henriknordstrom.net>
>To: jerry khoo <klyehin@hotmail.com>
>CC: squid-users@squid-cache.org
>Subject: Re: [squid-users] Working with ACL
>Date: Mon, 17 Apr 2006 15:36:29 +0200
>
>mån 2006-04-17 klockan 10:10 +0000 skrev jerry khoo:
>
> > implement on one of the remote site,example site 192.168.1.x
> > The requirement is to block 80% of users from accessing internet, but
>allow
> > them to go to some few internet site. The remaining 20% can access
>internet.
> > But all 100% can access our intranet sites.
> > Being new to squid, can someone give some example of the ACL
>configuration
> > to achieve this type of requirement or it can't be done at all?
> > Many thanks in advance to all the expert out there.
>
>What you need to remember to implement this is that http_access is an
>ordered list of rules. The first matching rule applies to the request.
>
>Then use the src and dstdomain acls to define who may go where (or
>not)..
>
>acl siteX src 192.168.1.0/24
>acl allowed_sites dstdomain ...
>http_access allow siteX allowed_sites
>http_access deny siteX
>
>just before where you allow the rest of the users general access..
>
>Regards
>Henrik

><< signature.asc >>
Received on Wed Apr 19 2006 - 05:14:28 MDT