squid ACL

andycol · 10-30-2009, 07:35 AM

Hi Guys

I am using webmin to configure squid, i have banned certain domains/fileteypes etc

what i want to accomplish is that certain ip addresses on the local lan have access to the banned sites

is that possible?

thanks

win32sux · 10-30-2009, 07:59 AM

Quote:

Originally Posted by andycol

I am using webmin to configure squid, i have banned certain domains/fileteypes etc

what i want to accomplish is that certain ip addresses on the local lan have access to the banned sites

is that possible?

Sure, just place a corresponding http_access line above the banning one(s). Example:

Code:

acl banned_sites dstdomain .microsoft.com
acl banned_sites dstdomain .bing.com
acl my_network src 192.168.1.0/24
acl my_special_users src 192.168.1.34-192.168.1.77

http_access allow my_special_users
http_access deny my_network banned_sites
http_access allow my_network
http_access deny all

In this example, those two sites would be denied for anyone not in the 192.168.1.34-192.168.1.77 range.

The Webmin front end you're using will hopefully let you configure things similarly.

andycol · 10-30-2009, 08:13 AM

i added

these 2 lines

acl my_special_users src 192.168.0.229

http_access allow my_special_users

and still my ip which is 229 cant access the website

any ideas?

win32sux · 10-30-2009, 09:07 AM

Quote:

Originally Posted by andycol

i added

these 2 lines

acl my_special_users src 192.168.0.229

http_access allow my_special_users

and still my ip which is 229 cant access the website

any ideas?

You gotta make sure that http_access line is located above any others which allow access.

These access controls are processed from top to bottom.

andycol · 10-31-2009, 03:47 AM

i get this now wen i do a squid reload

ACL name 'my_special_users' not defined!
FATAL: Bungled squid.conf line 2533: http_access allow my_special_users
Squid Cache (Version 2.6.STABLE21): Terminated abnormally

my ouput looks like in squid.conf

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes
http_access allow my_special_users
acl our_networks src 192.168.0.0/16
acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow our_networks

any ideas?

win32sux · 10-31-2009, 04:09 AM

Quote:

Originally Posted by andycol

i get this now wen i do a squid reload

ACL name 'my_special_users' not defined!
FATAL: Bungled squid.conf line 2533: http_access allow my_special_users
Squid Cache (Version 2.6.STABLE21): Terminated abnormally

my ouput looks like in squid.conf

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes
http_access allow my_special_users
acl our_networks src 192.168.0.0/16
acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow our_networks

any ideas?

You're trying to implement the access control before the list has been created.

andycol · 10-31-2009, 04:16 AM

so what should i do?

sorry new to squid

win32sux · 10-31-2009, 04:43 AM

Quote:

Originally Posted by andycol

so what should i do?

sorry new to squid

Like I said earlier, these things are processed from top to bottom. You need to make sure things are in the proper order. If you apply the same style you used for the other lines, you'd end up with:

Code:

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes

acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow my_special_users

acl our_networks src 192.168.0.0/16
http_access allow our_networks

But if the idea is to prevent 192.168.0.228-192.168.0.230 from having their access filtered, you'd need to stick that chunk above the banning ACLs, like:

Code:

acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow my_special_users

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes

acl our_networks src 192.168.0.0/16
http_access allow our_networks

This way, they wouldn't be affected by any of the access restrictions.

If, on the other hand, you only wished for them to bypass one of the ACLs, then just tweak the order:

Code:

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes

acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow my_special_users

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl our_networks src 192.168.0.0/16
http_access allow our_networks

In this example, 192.168.0.228-192.168.0.230 wouldn't have any domain restrictions enforced on them, but they would still be subject to your porn URL and file type restrictions.

andycol · 10-31-2009, 05:58 AM

aah ok now seems to work fine...

thanks alot mate