Squid Allow Block Site TO some ip

sachin151080 · 11-04-2009, 11:07 AM

hi,

is there any way to allow blocked particular site to particular IP in squid or dansguardian.

will be very much thankfull

win32sux · 11-04-2009, 11:41 AM

Quote:

Originally Posted by sachin151080

is there any way to allow blocked particular site to particular IP in squid or dansguardian.

Yes. This was actually asked and answered less than a week ago right here.

sachin151080 · 11-05-2009, 04:37 AM

hi,

thanx for your reply

you not yet understand my question

i blocked Facebook & Orkut to all user but now i want to open only facebook to particular user or IP

Thankx

gr33d · 11-05-2009, 08:47 AM

im not intimately familiar with users in squid, but if you want to allow IPs, just add an ACL for the IP range (or several ACL's for each nonadjacent IP) and place some http_access_allow <ACL NAME> lines above the http_access_deny lines

if you provide the appropriate sections of your /etc/squid/squid.conf file, i could probably give you specific examples.

win32sux · 11-05-2009, 09:03 AM

Quote:

Originally Posted by sachin151080

i blocked Facebook & Orkut to all user but now i want to open only facebook to particular user or IP

Only allow the IP to bypass the restriction on Facebook, right (not Orkut)?

You need to stick an http_access line above the one(s) which block the domains. Example:

Code:

acl special_client src 192.168.2.36
acl facebook dstdomain .facebook.com
acl orkut dstdomain .orkut.com

http_access allow facebook special_client
http_access deny facebook
http_access deny orkut
http_access allow all

sachin151080 · 11-06-2009, 01:35 AM

hi,

thanks win32sux

finally u resoved my problem, u r genious

my last question to u it is possible to create one file like exception ip list for particular site instead of creating acl for each ip & site

For Ex.

192.168.0.2 facebook.com
192.168.0.3 orkut.com
192.168.0.50 facebook.com

because no.of acl list may affect on performance of squid proxy

Once again thanx for your quick reply.

gr33d · 11-06-2009, 05:56 AM

yes, this is possible. make your file. lets call it /etc/squid/badsites.acl and add this to your config file

acl badsites dstdomain "/etc/squid/badsites.acl"
http_access deny badsites

your file should look like this (one url per line):
url1
url2
url3

restart squid

win32sux · 11-06-2009, 12:21 PM

I think you'd wanna do like gr33d said, but with an exception IP list instead.

You'd then match that ACL to certain domains, like:

Code:

acl special_clients src "/etc/squid/special_client_ips.txt"
acl facebook dstdomain .facebook.com
acl orkut dstdomain .orkut.com
http_access allow facebook special_clients
http_access deny facebook
http_access deny orkut
http_access allow all

You could also stick both client IPs and destination domains into lists, then do like:

Code:

acl special_clients src "/etc/squid/special_client_ips.txt"
acl bad_domains dstdomain "/etc/squid/bad_domains.txt"
http_access allow bad_domains special_clients
http_access deny bad_domains
http_access allow all

subhojit · 11-07-2009, 06:34 AM

hi,
i want to restrict sites like orkut, gmail in squid but i want to give access of these sites to some specific users, how can i achieve it

win32sux · 11-07-2009, 11:20 AM

Quote:

Originally Posted by subhojit

hi,
i want to restrict sites like orkut, gmail in squid but i want to give access of these sites to some specific users, how can i achieve it

Have you tried the examples provided above?

sachin151080 · 11-08-2009, 02:22 AM

hi,

win32sux

thanx for your valuable reply i tried both the option both are working fine
u given solution exactly what i want.

thanx u r genious in linux

Regards

Sachin J.

sachin151080 · 02-13-2010, 02:39 AM

hi,

win32sux

i have one query again i think u could able solve

i denied download by creating extndeny.acl for all
now i want allow some VIP user to download what i denied in extndeny.acl, how should i do that

REgards

Sachin J.

win32sux · 02-13-2010, 05:32 PM

Quote:

Originally Posted by sachin151080

hi,

win32sux

i have one query again i think u could able solve

i denied download by creating extndeny.acl for all
now i want allow some VIP user to download what i denied in extndeny.acl, how should i do that

REgards

Sachin J.

Create an ACL to match the VIP then stick an allow statement above the deny perhaps? Example:

Code:

acl vip src 192.168.2.97
acl extndeny url_regex "/etc/squid/extndeny.txt"
http_access allow vip extndeny
http_access deny all extndeny

Or maybe use an inverted match (depending on how everything else is set)? Example:

Code:

acl vip src 192.168.2.97
acl extndeny url_regex "/etc/squid/extndeny.txt"
http_access deny all !vip extndeny

sachin151080 · 02-15-2010, 08:06 AM

hi,

thanks for your quick reply, i tried your setting but after putting this setting my squid failed to start.
every thing is working fine
i restricted to access proxy,
blocked websides
i allowed blocked webside to VIP user
i blocked download by extension to all but i want to allowed those blocked extension download to vip user, i tried your setting but my squid fail to start
so i am giving my whole setting so you will get idea is there i did wrong or i have to change

acl extndeny url_regex -i "/etc/squid/extndeny.acl"
acl badURL url_regex -i games
acl badURL url_regex -i porn
acl download method GET
http_access deny badURL
http_access deny extndeny download
acl my_safeports port 80 81 21 443 1025-65535
acl special_client1 src "/etc/squid/special_client1.acl"
acl special_client2 src "/etc/squid/special_client2.acl"
acl special_client3 src "/etc/squid/special_client3.acl"
acl bad_domain1 dstdomain "/etc/squid/bad_domain1.acl"
acl good_ip src "/etc/squid/goodip.acl"
acl bad_domain2 dstdomain "/etc/squid/bad_domain2.acl"
acl bad_domain3 dstdomain "/etc/squid/bad_domain3.acl"
http_access allow bad_domain1 special_client1
http_access allow bad_domain2 special_client2
http_access allow bad_domain3 special_client3
http_access allow good_ip all
http_access deny bad_domain1
http_access deny bad_domain2
http_access deny bad_domain3
acl my_networks src "/etc/squid/allowips.acl"
http_access allow my_networks
http_access deny all

REgards

Sachin j.

win32sux · 02-15-2010, 07:12 PM

What error message does Squid produce when it fails?

BTW, I don't see any ACL for the VIP user in the configuration you posted.

FWIW, this line you have would affect everyone:

Quote:

Code:

http_access deny extndeny download

The VIP http_access line would need to be above that (or included as an inverted match) in order to bypass.