squid ACL
hi sir
i have squid 2.6 installed on centos i created acl which should apply to this ip range i.e 192.168.1.10-192.168.1.15 and excluded 192.168.1.13 how can i do pls suggest |
Hi,
You can use the following: Code:
acl FOO src 192.168.1.10-192.168.1.12 192.168.1.14-192.168.1.15 |
thanks for reply
but i have one query if i have 192.168.1.10-192.16.1.50, i want some ips randomly to be excuded from the acl then in such cases my acl increases for example if want 192.16.1.35,192.16.1.15,192.16.1.22 excluded then i have make acl foo 192.16.1.10-192.16.1.14 acl bar 192.16.1.16-192.16.1.21 acl test 192.16.1.23-192.16.1.34 acl test1 192.16.1.36-192.16.1.50 hence acl increase is there any way so that we write acl as acl foo 192.16.1.10-192.16.1.50 and after acl for excluded ips like 22,15,22 Regards amar |
You can use:
Code:
acl goodguys 192.16.1.35 192.16.1.15 192.16.1.22 |
thanks
i am rearranging according to my requirment . i created files download and mgdownload in etc/squid here i mentions some sites which need to block i want to allow download to foo,bar,test,test1 and deny mgdownload and allow mgdownload and download to excluded ips acl download url_regex -i "/etc/squid/download" acl mgdownload url_regex -i "/etc/squid/mgdownload" acl foo 192.16.1.10-192.16.1.14 acl bar 192.16.1.16-192.16.1.21 acl test 192.16.1.23-192.16.1.34 acl test1 192.16.1.36-192.16.1.50 acl goodguys 192.16.1.35 192.16.1.15 192.16.1.22 http_access allow foo download http_access allow bar download http_access allow test download http_access allow test1 download http_access deny foo mgdownload http_access deny bar mgdownload http_access deny test mgdownload http_access deny test1 mgdownload http_access allow goodguys mgdownload http_access allow goodguys download is it correct or any suggestion to minimized this configuration |
Isn't it more easy to use:
Code:
acl foo 192.16.1.10-192.16.1.14 192.16.1.16-192.16.1.21 192.16.1.23-192.16.1.34 1 192.16.1.36-192.16.1.50 |
thanks very much !!!
i will use it and check |
hi sir
i created acl to block the below sites, is it write or can be minimized pls suggest acl gmail dstdomain .gmail.com acl gmail dstdomain .gmail.google.com acl gmail dstdomain .mail.google.com acl gmail dstdomain .login.yahoo.com acl gmail dstdomain .messenger.yahoo.com acl gmail dstdomain .mail.rediff.com second query-- as i created acl download url_regex -i "/etc/squid/download" ,in download file i enter www.yahoo.com and more sites , but due to this acl user are unable to open www.yahoo.com but able to open from http://yahoo.com pls suggest |
Hi,
You should use your creativity to group together similar URLs. For example: Code:
acl gmail dstdom_regex (.*)mail.(google|rediff).com For the 2nd part you should put a dot "." in front of yahoo.com (.yahoo.com), so it matches www.yahoo.com and yahoo.com. Note that this will also match foo.yahoo.com, bar.yahoo.com, so it this is not what you want, you should explicitly use www.yahoo.com and yahoo.com (without the leading dot) Regards |
Thanks sir its work for me!!!!
1 query-- in squid how to restrict https sites like banking,etc 2 query - in squid acl is applied as per IP address base , but if some one change ip to the ip which having full access then in that case how we can restrict it , i think in squid we cannot map mac address to ip , so for this any suggestion thanks in advance |
Take a look here to understand how acls work. Or better yes read the whole manual, if you want to administer a squid proxy.
Anyway regarding your questions: 1. You can use: Code:
acl banks dstdomain .bank1.com .bank2.com 2. If squid was compiled with the "-enable-arp-acl" it can use mac addresses to restrict access. See the acl arp in the 1st link above. Other than that you can use some sort of restrictions based on users. For this you need to authenticate your users (through ldap for example) and based on the attributes assigned to them (in ldap), you can restrict or allow access to specific URLs |
thanks sir
your first solution works regarding second query that acl arp, i created acl arp like acl foo arp 00:80:48:06:E0 http_access allow foo but it shows error invalid acl fatal bungled squid.conf i think that i should compile squid with arp enable option for this if i have to reinstalled squid ? or possible in existing installed squid in ip bases acl we define groups like acl foo 172.16.1.21-172.16.1.50, but if i used mac based acl then how the groups are possible? means how i define range of mac address as it not random pls suggest |
The squid you're running was compiled without the "-enable-arp-acl option". If you want it, you have to recompile it
Note that filtering based on mac addresses works only inside a lan. If you have clients in different lans this is not going to work, as the mac address shown, is the one of the intermediate switch. And of course you cannot short mac addresses in groups |
hi sir
if i use mac based filtering and i have 250 user in that case i have to created 250 ACL , which is very hektik, while in ip based we can minimized acl in groups is it rights thanks in advance |
Exactly.
That is why filtering based on mac addresses is not compiled by default. Cheers |
All times are GMT -5. The time now is 12:17 PM. |