On 21/10/10 02:53, Michael Knichel wrote:
> I am a teacher with my own web connection for my classroom. I wish to
> have ACL's that deal with my morning class differently than my
> afternoon class. I have created the rules and applied them, but they
> do not seem to be working. I have cleared my cache and restarted
> squid but no luck.
>
> Some Background: I am trying to make it so my "am_students" can surf
> freely any time before 8:45 and after 10:30. That gives them 1/2 hr
> before class starts and 15 minutes at the end to check email, forum
> posts etc... At 8:45 I want to limit the sites they visit to those
> found in "AM_good_sites.txt" ( entries like .somedomain.com and
> .otherdomain.net ...) until 10:30. I have created my timed acl, my
> dstdomain acl and my proxy_auth acl. However, it seems that this
> config is not working. Any insight would be appreciated.
>
> ============================================= squid.conf
> ========================================
> #http_port 127.0.0.1:3128 transparent
> http_port 127.0.0.1:3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
> #broken_vary_encoding allow apache
> access_log /var/log/squid3/access.log
> debug_options ALL,1
> #debug_options ALL,1,33,2
> dns_nameservers 208.67.222.222 208.67.220.220
> #dns_nameservers 24.148.96.1 24.148.96.2
> hosts_file /etc/hosts
> auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/basic.passwd
> auth_param basic realm Q3AIT Proxy Authentication
> auth_param basic children 10
> auth_param basic credentialsttl 3 hour
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
Add this right here:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> #acl all src 0.0.0.0/0.0.0.0
> acl all src
To clear up the confusion what is supposed to be here is:
"acl all src all"
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl Safe_ports port 2349 # hvcc.edu e-library
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl our_nets src 192.168.6.0/24
>
> # added by knichel 20090927 to require authentication
> acl myAuth proxy_auth REQUIRED
>
> #The following defines when I DON'T want them surfing freely
> acl AIT1_times time MTWHF 08:45-10:30
> acl AIT2_times time MTWHF 11:45-13:30
>
> acl teacher proxy_auth {comma separated user list}
> acl pm_students proxy_auth {comma separated user list}
> acl am_students proxy_auth {comma separated user list}
Um. Squid uses space separators. You can remove the commas I think.
>
> acl am_good_sites dstdomain "/etc/squid3/AM_good_sites.txt"
> acl pm_good_sites dstdomain "/etc/squid3/PM_good_sites.txt"
>
> acl bad_sites dstdomain "/etc/squid3/bad_sites.txt"
>
> acl google_apps url_regex -i q3ait.org
The way regex works any of the students can tack "foo=q3ait.org" on
the end of the URL and get access out.
Is this a domain name?
If so use "acl google_app dstdomain .q3ait.org" to test it. Or at
minimum dstdom_regex to limit regex to the domain name.
>
> acl GMail browser google.com/a
> cache deny QUERY AM_good_sites
> cache deny QUERY PM_good_sites
Remove the above two lines. They do not do what you seem to think they
do. The new refresh_pattern above replaces them.
> http_access deny manager
> http_access allow purge localhost
> http_access deny !Safe_ports
> http_access deny purge
> http_access deny CONNECT !SSL_ports
>
> # Used for updating computers, Allow All during updating...
> #http_access allow all
>
You can simplify a bit by adding this here:
http_access deny !myAuth
... you can then remove the "myAuth" from all following lines.
> # always allow users to good sites
> http_access allow myAuth teacher
> http_access deny bad_sites
> http_access allow myAuth am_students am_good_sites
> http_access allow myAuth pm_students pm_good_sites
This looks like most of your problem. You are missing the time ACL on
this allow line to say when its supposed to happen.
This should fix it:
http_access deny am_students !am_good_sites AIT1_times
http_access deny pm_students !pm_good_sites AIT2_times
>
> http_access allow myAuth google_apps
>
> # Deal with AM and PM separately
> http_access allow am_students myAuth !AIT1_times
> http_access allow pm_students myAuth !AIT2_times
>
> # now block all other access
> http_access deny all
>
> # allow replies from inside requests...
> http_reply_access allow all
>
> icp_access allow all
> cache_effective_group proxy
> visible_hostname localhost
> coredump_dir /var/spool/squid3
> ==============================================================================================
>
> --
> Michael Knichel
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2Received on Thu Oct 21 2010 - 04:01:59 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 21 2010 - 12:00:03 MDT