LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-30-2009, 08:35 AM   #1
andycol
Member
 
Registered: Jul 2009
Location: South Africa
Posts: 38

Rep: Reputation: 16
squid ACL


Hi Guys

I am using webmin to configure squid, i have banned certain domains/fileteypes etc

what i want to accomplish is that certain ip addresses on the local lan have access to the banned sites

is that possible?

thanks
 
Old 10-30-2009, 08:59 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by andycol View Post
I am using webmin to configure squid, i have banned certain domains/fileteypes etc

what i want to accomplish is that certain ip addresses on the local lan have access to the banned sites

is that possible?
Sure, just place a corresponding http_access line above the banning one(s). Example:
Code:
acl banned_sites dstdomain .microsoft.com
acl banned_sites dstdomain .bing.com
acl my_network src 192.168.1.0/24
acl my_special_users src 192.168.1.34-192.168.1.77

http_access allow my_special_users
http_access deny my_network banned_sites
http_access allow my_network
http_access deny all
In this example, those two sites would be denied for anyone not in the 192.168.1.34-192.168.1.77 range.

The Webmin front end you're using will hopefully let you configure things similarly.

Last edited by win32sux; 10-30-2009 at 09:02 AM.
 
Old 10-30-2009, 09:13 AM   #3
andycol
Member
 
Registered: Jul 2009
Location: South Africa
Posts: 38

Original Poster
Rep: Reputation: 16
i added

these 2 lines


acl my_special_users src 192.168.0.229

http_access allow my_special_users

and still my ip which is 229 cant access the website

any ideas?
 
Old 10-30-2009, 10:07 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by andycol View Post
i added

these 2 lines


acl my_special_users src 192.168.0.229

http_access allow my_special_users

and still my ip which is 229 cant access the website

any ideas?
You gotta make sure that http_access line is located above any others which allow access.

These access controls are processed from top to bottom.
 
Old 10-31-2009, 04:47 AM   #5
andycol
Member
 
Registered: Jul 2009
Location: South Africa
Posts: 38

Original Poster
Rep: Reputation: 16
i get this now wen i do a squid reload

ACL name 'my_special_users' not defined!
FATAL: Bungled squid.conf line 2533: http_access allow my_special_users
Squid Cache (Version 2.6.STABLE21): Terminated abnormally

my ouput looks like in squid.conf

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes
http_access allow my_special_users
acl our_networks src 192.168.0.0/16
acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow our_networks


any ideas?
 
Old 10-31-2009, 05:09 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by andycol View Post
i get this now wen i do a squid reload

ACL name 'my_special_users' not defined!
FATAL: Bungled squid.conf line 2533: http_access allow my_special_users
Squid Cache (Version 2.6.STABLE21): Terminated abnormally

my ouput looks like in squid.conf

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes
http_access allow my_special_users
acl our_networks src 192.168.0.0/16
acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow our_networks


any ideas?
You're trying to implement the access control before the list has been created.
 
Old 10-31-2009, 05:16 AM   #7
andycol
Member
 
Registered: Jul 2009
Location: South Africa
Posts: 38

Original Poster
Rep: Reputation: 16
so what should i do?

sorry new to squid
 
Old 10-31-2009, 05:43 AM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by andycol View Post
so what should i do?

sorry new to squid
Like I said earlier, these things are processed from top to bottom. You need to make sure things are in the proper order. If you apply the same style you used for the other lines, you'd end up with:
Code:
acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes

acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow my_special_users

acl our_networks src 192.168.0.0/16
http_access allow our_networks
But if the idea is to prevent 192.168.0.228-192.168.0.230 from having their access filtered, you'd need to stick that chunk above the banning ACLs, like:
Code:
acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow my_special_users

acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes

acl our_networks src 192.168.0.0/16
http_access allow our_networks
This way, they wouldn't be affected by any of the access restrictions.

If, on the other hand, you only wished for them to bypass one of the ACLs, then just tweak the order:
Code:
acl banned_porn url_regex -i "/etc/squid/banned.porn"
http_access deny banned_porn

acl banned_filetypes urlpath_regex -i "/etc/squid/banned.filetypes"
http_access deny banned_filetypes

acl my_special_users src 192.168.0.228-192.168.0.230
http_access allow my_special_users

acl banned_domain dstdom_regex -i "/etc/squid/banned.domain"
http_access deny banned_domain

acl our_networks src 192.168.0.0/16
http_access allow our_networks
In this example, 192.168.0.228-192.168.0.230 wouldn't have any domain restrictions enforced on them, but they would still be subject to your porn URL and file type restrictions.

Last edited by win32sux; 10-31-2009 at 05:54 AM.
 
Old 10-31-2009, 06:58 AM   #9
andycol
Member
 
Registered: Jul 2009
Location: South Africa
Posts: 38

Original Poster
Rep: Reputation: 16
aah ok now seems to work fine...

thanks alot mate
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid acl Winanjaya Linux - Server 1 04-23-2009 12:03 PM
Squid acl help cgelectek Linux - Networking 3 11-11-2005 12:04 AM
Squid ACL Question kemplej Linux - Security 5 08-03-2004 11:56 AM
acl software for squid aqoliveira Linux - Software 1 04-26-2003 05:23 PM
Squid ACL zeroability Linux - Networking 2 01-13-2003 10:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration