Re: [squid-users] Two Instances of Squid

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 05 Apr 2002 23:03:30 +0200

"Vernon A. Fort" wrote:
>
> Let me layout my acls.
>
> 1. We use authentication for everything but a few sites. As I'm sure most squid-users have encountered, there are a number of sites (mainly software update programs) that don't play well with authentication so I have created a noauth acl which allow any user on the internal source to browse to without authentication.
>
> 2. We do completely ban some sites (mainly pornographic).
>
> 3. My internal source is 192.168.0.0/16
>
> SO... Here's all my acls:
>
> proxy1 = firewall (192.168.1.13)
> proxy2 = private vpn network (192.168.1.4)
>
> cache_peer proxy2 parent 3128 0 proxy-only allow-miss no-query
>
> acl all src 0.0.0.0/0.0.0.0
> acl internal_src src 192.168.0.0/255.255.0.0 # Internal Network
> acl int_domain srcdomain mydomain.int # Internal Domain
> acl int_short url_regex ^http://[^\.]*/
> acl carenet_dsta srcdomain nsh.dcnhs.org # VPN Network Domain
> acl carenet_dstb dst 100.0.0.0/8 # VPN Ip Network
> no_cache deny carenet_dsta # Don't cache anything from the VPN
> no_cache deny carenet_dstb # Don't cache anything from the VPN
> acl careauth proxy_auth "carenet_users" # User list for the accessing the VPN Site
> acl onesourceauth proxy_auth "onesrc_users" # Restrict Some users to specific Internet Sites
> acl onesource_dst dstdom_regex "onesrc_dst" # List of sites for these Restricted Users
> acl noauth_sites dstdom_regex "noauth_sites" # Sites which are accessible to Everyone with no Auth
> acl banned_sites dstdom_regex "banned_sites" # Sited restricted to everyone!!
> acl allowedusers proxy_auth REQUIRED # Authenticate Everyone
>
> http_access deny banned_sites
> http_access allow noauth_sites
> http_access deny onesourceauth !onesource_dst
> http_access deny carenet_dsta carenet_dstb !careauth
> never_direct allow carenet_dsta
> never_direct allow carenet_dstb
> http_access allow internal_src allowedusers !onesourceauth
> http_access deny all
>
> cache_peer_access proxy2 allow all
>
> My thought process for the http_allow:
>
> A. Deny internal_src or all access to the banned sites
> B. Allow everyone access to the noauth sites (some are internal like our intranet)
> C. If the authenticated user in listed in the onesourceauth, allow then access to just oncesource_dst only!
> B. If the authenticated uses in listed in the careauth, allow access to carenet* and anywhere else.
> D. Allow all remaining authenticated users.
>
>
> I am not the best with acl rules so any suggestions would be appreciated!

Something like the following should work I think:

# Deny anyone not coming from our internal network
http_access deny !internal_src

# Deny all access to the banned sites
http_access deny banned_sites

# Allow all users access to the free sites without having to log in
http_access allow noauth_sites

# Some users are only allowed to go to these specific sites
# in addition to the open sites above
http_access allow onesourceauth oncesource_dst
http_access deny onesourceauth

# Only careauth users are allowed to access carenet
http_access allow carenet_dsta careauth
http_access allow carenet_dstb careauth
http_access deny carenet_dsta
http_access deny carenet_dstb

# The rest is allowed to any authenticated user
http_access allow allowedusers

# Finally deny all else (not strictly needed, but always good to have
just in case)
http_access deny all

And the carenet_dsta ACL should most likely use a dstdomain ACL type..

Regards
Henrik
Received on Fri Apr 05 2002 - 14:06:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:28 MST