Re: [squid-users] Composite ACL

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 15 Sep 2007 22:22:52 +1200

Arun Shrimali wrote:
> Dear All,
> I am new to Linux, but I have successfuly loaded Squid 2.6.STABLE 4 on Fedora 6
> I am using NCSA authentication, chpasswd and sarg for reporting.

Greetings, and well done.

However, you should upgrade that version to one at least stable 12
(current is 2.6-stable16). There are known major security bugs in the
early releases.

>
> I want Squid to
>
> 1. Use NCSA authentication. (working fine)
> 2. Restrict users to download files with specific extentions (working fine)

> 3. Allow user 'xyz' to view our organisation site only ' www.xyz.co.in'
> (not working - xyz is surfing all the other sites also. How to
> restrict to one site only??)

(I'm a little hazy on that, soo.. assuming your user1 acl is the one you
are speaking about. And that you have defined the auth properly.)

create acl containing site:
   acl okSite dstdomain www.xyn.co.in

create access permission so user can visit ONLY sites listed in kSite ACL.
   http_access deny user !okSite

Do this BEFORE any access permissions setting 'allow'.

> 4. Restrict other users to xxrn site (working fine)
> 5. Restrict users to use messengers (yet to check)

Assuming by 'messenger' you mean a peer-to-peer chat program ...

Not entirely possible with squid. in order to control with squid the
messenger itself has to use HTTP protocol or proxy. Most of them don't,
or don't use proxy by default if they can.

> 6. Allow user 'abc' to even download and user messenger. (confuse how
> to write acl?)
>
> Key portion of squid conf is as follows:
>
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
> acl ncsa_users proxy_auth REQUIRED
> acl user1 proxy_auth xyz
> acl site dstdomain .xyz.co.in
> acl reso src 172.16.251.0/255.255.255.0

Start getting used to the idea of CIDR, netmask is going out of fashion
soon despite all the examples.
    acl reso src 172.16.251.0/24

> acl restricted_files urlpath_regex -i ftp \.exe$ \.zip$ \.tar.gz$
> \.gz$ \.rar$ \.mp3$ \.mp4$ \.avi$ \.mpeg$ \.mpg$ \.ram$ \.rm$ \.iso$
> \.wav$ \.mov$ \.tar$ \.mdb$ \.dat$
> acl msn url_regex -i gateway.dll

> acl yahoo url_regex -i ^http://shttp.msg.yahoo.com
> acl yahoo url_regex -i ^ http://pgq.yahoo.com
> acl yahoo url_regex -i ^http://mtab.games.yahoo.com
> acl yahoo url_regex -i ^ http://insider.msg.yahoo.com
> acl yahoo url_regex -i ^ http://address.yahoo.com
> acl yahoo url_regex -i ^http://insider.msg.yahoo.com/ycontent/?
> acl yahoo url_regex -i ^http://us.il.yimg.com

You should declare all of the above as acl of type 'dstdomain'.
ie:
   acl yahoo dstdomain .yahoo.com .yimg.com

> acl porn url_regex "/etc/squid/xxrn.txt"
> acl noporn url_regex "/etc/squid/noxxrn.txt"

Better use something like this:

   acl porn dstdomain "/etc/squid/porn-domains.txt"
   acl porn url_regex -i "/etc/squid/porn-urls.txt"

I keep pointing out to people that list like these, porn in particular),
contain a high ratio of domain:uri entries.
Domains should be listed in a dstdomain acl, URI if they really need it
in a regex one.

Its a good idea to start with a split list config when your list is
small enough to make the split easy. By the time it gets large enough
for people to notice the regex speed problems its way too late.

(oh, and don't bother adjusting your habits to suit those with broken
mail filters, just k'file them.)

>
> http_access deny xxrn !noxxrn
> http_access deny yahoo
> http_access deny msn
> http_access deny restricted_files
> http_access allow ncsa_users
> http_access allow user1 site
> http_access allow reso
>
> # And finally deny all other access to this proxy
> http_access allow localhost
> http_access deny all
>
> can any body help me to edit my acl to get the desired output.
>
> Regards
>
> Arun Shrimali

Amos
Received on Sat Sep 15 2007 - 04:22:59 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT