squid ACL
 

hi sir

i have squid 2.6 installed on centos i created acl which should apply to this ip range i.e 192.168.1.10-192.168.1.15
and excluded 192.168.1.13 how can i do pls suggest

Hi,

You can use the following:
Regards

thanks for reply


but i have one query if i have 192.168.1.10-192.16.1.50, i want some ips randomly to be excuded from the acl then in such cases my acl increases for example if want 192.16.1.35,192.16.1.15,192.16.1.22 excluded then i have make
acl foo 192.16.1.10-192.16.1.14
acl bar 192.16.1.16-192.16.1.21
acl test 192.16.1.23-192.16.1.34
acl test1 192.16.1.36-192.16.1.50

hence acl increase is there any way so that we write acl as

acl foo 192.16.1.10-192.16.1.50
and after acl for excluded ips like 22,15,22

Regards
amar

You can use:

thanks

i am rearranging according to my requirment .

i created files download and mgdownload in etc/squid here i mentions some sites which need to block i want to allow download to foo,bar,test,test1
and deny mgdownload
and allow mgdownload and download to excluded ips

acl download url_regex -i "/etc/squid/download"
acl mgdownload url_regex -i "/etc/squid/mgdownload"
acl foo 192.16.1.10-192.16.1.14
acl bar 192.16.1.16-192.16.1.21
acl test 192.16.1.23-192.16.1.34
acl test1 192.16.1.36-192.16.1.50
acl goodguys 192.16.1.35 192.16.1.15 192.16.1.22
http_access allow foo download
http_access allow bar download
http_access allow test download
http_access allow test1 download
http_access deny foo mgdownload
http_access deny bar mgdownload
http_access deny test mgdownload
http_access deny test1 mgdownload
http_access allow goodguys mgdownload
http_access allow goodguys download

is it correct or any suggestion to minimized this configuration

Isn't it more easy to use:

thanks very much !!!
i will use it and check

hi sir
i created acl to block the below sites, is it write or can be minimized pls suggest

acl gmail dstdomain .gmail.com
acl gmail dstdomain .gmail.google.com
acl gmail dstdomain .mail.google.com
acl gmail dstdomain .login.yahoo.com
acl gmail dstdomain .messenger.yahoo.com
acl gmail dstdomain .mail.rediff.com
second query-- as

i created acl download url_regex -i "/etc/squid/download" ,in download file i enter www.yahoo.com and more sites , but due to this acl user are unable to open www.yahoo.com but able to open from http://yahoo.com pls suggest

Hi,

You should use your creativity to group together similar URLs. For example:
Note that this will work also for www.gmail.com, because this URL is redirected to mail.google.com

For the 2nd part you should put a dot "." in front of yahoo.com (.yahoo.com), so it matches www.yahoo.com and yahoo.com.
Note that this will also match foo.yahoo.com, bar.yahoo.com, so it this is not what you want, you should explicitly use www.yahoo.com and yahoo.com (without the leading dot)

Regards

Thanks sir its work for me!!!!

1 query--
in squid how to restrict https sites like banking,etc

2 query -

in squid acl is applied as per IP address base , but if some one change ip to the ip which having full access then in that case how we can restrict it , i think in squid we cannot map mac address to ip , so for this any suggestion

thanks in advance

Take a look here to understand how acls work. Or better yes read the whole manual, if you want to administer a squid proxy.
Anyway regarding your questions:
1. You can use:

2.
If squid was compiled with the "-enable-arp-acl" it can use mac addresses to restrict access. See the acl arp in the 1st link above.
Other than that you can use some sort of restrictions based on users. For this you need to authenticate your users (through ldap for example) and based on the attributes assigned to them (in ldap), you can restrict or allow access to specific URLs

thanks sir
your first solution works
regarding second query that acl arp, i created acl arp like
acl foo arp 00:80:48:06:E0
http_access allow foo
but it shows error invalid acl fatal bungled squid.conf i think that i should compile squid with arp enable option for this if i have to reinstalled squid ? or possible in existing installed squid

in ip bases acl we define groups like acl foo 172.16.1.21-172.16.1.50, but if i used mac based acl then how the groups are possible? means how i define range of mac address as it not random pls suggest

The squid you're running was compiled without the "-enable-arp-acl option". If you want it, you have to recompile it
Note that filtering based on mac addresses works only inside a lan. If you have clients in different lans this is not going to work, as the mac address shown, is the one of the intermediate switch.
And of course you cannot short mac addresses in groups

hi sir

if i use mac based filtering and i have 250 user in that case i have to created 250 ACL , which is very hektik, while in ip based we can minimized acl in groups is it rights

thanks in advance

Exactly.
That is why filtering based on mac addresses is not compiled by default.

Cheers