Re: [squid-users] problem with ACL.

From: Pandu E Poluan <pandu_poluan_at_paninsekuritas.co.id>
Date: Tue, 28 Apr 2009 16:56:19 +0700

I am believe the user you're talking about is accessing the URL's
contained in

acl exceptions url_regex "/etc/squid/data/exceptions"

Because as far as I see, the only way for him/her to bypass the time
limitation is if he/she gets allowed by

http_access allow exceptions

CMIIW

Rgds,

[p]

Jagdish Rao wrote:
> Hi,
>
> I have configure my Squid to work only for some time for one group of
> users. I find that this is not being effective. Below is the squid conf file
>
> ############# SQUID DEFAULTS ############
> http_port 8000
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_log /var/log/squid/cache.log
> debug_options ALL,1 33,2
> debug_options ALL,1
>
> ############ AUTHENTICATIONS ###########
> auth_param basic program /usr/lib/squid/ncsa_auth
> /etc/squid/data/valid-users
> auth_param basic children 5
> auth_param basic realm Accord-Soft Proxy-caching Web Server
> auth_param basic credentialsttl 2 hour
> auth_param basic casesensitive off
>
> request_body_max_size 50 KB
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> ########### ACCESS CONTROLS ###########
>
> #### Format for Access Controls ####
> ## <acl username proxy_auth user id>
> ## <acl usertime time 9:00 - 14:00>
> ## <acl userurl url_regex website>
> ## <http_access allow username usertime userurl>
>
> acl password proxy_auth REQUIRED
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl CONNECT method CONNECT
>
> ########## USER DEFINED ACLS ###########
>
> ## Authenticating Users #######
> acl sunayna.j proxy_auth sunayna.j
> acl vikramsingh proxy_auth vikram.singh
>
> #### ACL TIMINGS #######
> acl MorningTime time 08:00-09:00
> acl EveningTime time 18:00-19:00
> acl AfternoonTime time 13:00-15:00
> acl OfficeTime time 09:00-18:00
> acl SplMorningTime time 09:00-13:00
> acl PrelunchTime1 time 11:00-12:00
> acl PrelunchTime time 12:00-13:00
>
> ### Some more ACL's to Allow and Block the Sites ###
> acl PornSites url_regex "/etc/squid/data/blocked-sites"
> acl PornSites url_regex "/etc/squid/data/blocked-bad-words"
> acl exceptions url_regex "/etc/squid/data/exceptions"
> acl exceptions url_regex "/etc/squid/data/winupdates"
> http_access allow exceptions
> http_access deny PornSites
> deny_info ERR_PORN_DENIED PornSites
>
> acl FTPMP3 url_regex -i ^ftp://.*\.mp3$
> http_access deny FTPMP3
> acl HTPMP3 url_regex -i ^http://.*\.mp3$
> http_access deny HTPMP3
>
> acl Download_Blocking url_regex -i
> \.(ADE|ADP|ASD|ASF|BAS|BAT|CMD|CPL|CRT|EML|HLP|HTA|INF|INS|ISP|LNK|MDB|MDE|MSC|MSG|MSI|MSP|MST|OCX|PCD|PIF|SCR|SCT|SH|SHB|SHS|SYS|VB|VBE|VBS|VCS|WMS|WMD|WMZ|WSC|WSF|WSH|PBL|TPL|mov|MOV|mp3|avi|AVI|wmv|WMV|wma|rar|RAR|CAB|cab)($|\?)
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #http_access deny !password
>
> ### Access Goes Here #######
> http_access allow vikasv PrelunchTime1
> http_access allow vikramsingh PrelunchTime1
> http_access allow sunayna.j PrelunchTime1
>
> http_access deny all
>
> cache_mgr netadmin_at_accord-soft.com
> visible_hostname squid.accord-soft.com
> coredump_dir /var/spool/squid
> logfile_rotate 10
> deny_info ERR_ACCESS_DENIED net-man
>
> ## End of Squid.conf file.
>
> In this the timings "PrelunchTime1" does not seem to work. This means
> that a user with this config cannot access Net before 11:00 AM, but he
> can continue to browse even after 12:00 Noon .
>
> Where are we making mistakes ?
>
> Any help would be appreciable
>
> Thanks
>
> Jagdish
>
>
>
>
>
>
>
> ##############################################################################################################################################
> The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination, copying or other use of, or taking any action in reliance upon, this information by
> persons or entities other than the intended recipient is prohibited. If you have received this in error, please contact the sender and delete
> the material from your system. Accord Software & Systems Pvt. Ltd. (ACCORD) is not responsible for any changes made to the material other
> than those made by ACCORD or for the effect of the changes on the meaning of the material.
> ##############################################################################################################################################
>
>

-- 
*Pandu E Poluan*
*Panin Sekuritas*
IT Manager / Infrastructure & Audit
Phone : 	+62-21-515-3055 ext 135
Fax : 	+62-21-515-3061
Mobile : 	+62-856-8400-426
e-mail : 	pandu_poluan_at_paninsekuritas.co.id
<mailto:pandu_poluan_at_paninsekuritas.co.id>
	
	
	
	
Y!M : 	hands0me_irc
MSN : 	si-ganteng_at_live.com
GTalk : 	pandu.cakep_at_gmail.com
Received on Tue Apr 28 2009 - 09:56:30 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 29 2009 - 12:00:02 MDT