Re: [squid-users] squid acl soap request method
On 15/10/2013 3:48 p.m., James Shirley wrote: Hi! I'm trying to configure a squid acl to control what soap requests are allowed to a backend web server.. Only I cannot see a configuration parameter directly specific to SOAP (or XML) protocol. Or even a way to integrate the POST message content in a helper application.. That is because the message and the message content are two _very_ separate things. The messages being HTTP protocol and message content being the SOAP/XML stuff. Squid only operates on the HTTP protocol. The content of messages is outside of Squid scope of operations and treated as opaque data. Manipulation or control based on message content is called "content filtering" and is performed by ICAP services and/or eCAP plugins for Squid. NP: I'm not yet aware of any plugins/services that manipulate SOAP/XML data. Given that it is XML it should be relatively easy to create your own content filter that meets your needs. I have looked into validating SOAPAction HTTP header, however this is an optional header which not all SOAP clients use.. For controlling it in Squid that is probably the best way. Unless you can find a better way to identify SOAP from just the HTTP headers (Content-Type perhapse?). Amos
[squid-users] squid acl soap request method
Hi! I'm trying to configure a squid acl to control what soap requests are allowed to a backend web server.. Only I cannot see a configuration parameter directly specific to SOAP (or XML) protocol. Or even a way to integrate the POST message content in a helper application.. I have looked into validating SOAPAction HTTP header, however this is an optional header which not all SOAP clients use.. The closest thing I can find is the external_acl_type configuration parameter; however this doesn't pass the HTTP POST content to the helper custom program, '%DATA' looked good however this for ACL parameters.. Any help would be much appreciated.. Cheers James
[squid-users] Squid ACL per-user basis
Hello, i'm using squid 2.6 Version 2.6.STABLE21 (provided with CentOS 5.x), using NTLM AUTH. Since I'm able to apply ACLs to Windows Groups, I'm just wondering if I can apply an ACL only to a single user. Should I need to create a group only for that user and apply an acl to that group or there's a different way? Thanks Here's my config (some comments are in italian): - http_port 8080 hierarchy_stoplist cgi-bin ? cache_mem 4 MB cache_swap_low 85 cache_swap_high 90 cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/run/squid.pid auth_param ntlm program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for privacy auth_param basic program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for privacy auth_param basic children 5 auth_param basic realm Squid Access auth_param basic credentialsttl 2 hours external_acl_type check-group ttl=0 concurrency=0 %LOGIN /usr/lib64/squid/wbinfo_group.pl acl all src 0.0.0.0/0.0.0.0 acl lan src 192.168.1.0/255.255.255.0 acl to_lan dst 192.168.1.0/255.255.255.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl QUERY urlpath_regex cgi-bin \? acl autenticati proxy_auth REQUIRED acl siti_blacklist url_regex "/etc/squid/blacklist.txt" acl siti_whitelist url_regex "/etc/squid/whitelist.txt" acl siti_limitati url_regex "/etc/squid/limitati.txt" acl titolari external check-group group1 acl dipendenti external check-group group2 acl limitati external check-group group3 # Things never to cache #no_cache deny QUERY # Enable this if you don't want any caching #no_cache deny all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Permettiamo l'accesso dal computer locale senza restrizioni http_access allow localhost # Permettiamo l'accesso dalla rete locale verso tutta la rete http_access allow to_lan lan # Permettiamo l'accesso dalla rete locale verso dei siti in whitelist http_access allow siti_whitelist lan # Accesso senza restrizioni per i titolari http_access allow titolari # I dipendenti possono visitare tutti i siti web ad eccezione # di quelli listati nel file di blacklist http_access allow !siti_blacklist dipendenti # Gli utenti limitati possono accedere solamente ad alcuni siti http_access allow siti_limitati limitati # Tutti gli altri accessi sono negati http_access deny !autenticati http_access deny all http_reply_access allow all acl FTP proto FTP always_direcache_mgr mana...@mylan.com cache_effective_user squid cache_effective_group squid # I have very little RAM, so I set this off. YMMV memory_pools on forwarded_for on #error_directory /etc/squid/errors coredump_dir /var/spool/squid # note 33,2 lets you see which acl allowed or denied debug_options ALL,1 33,2ct allow FTP --
Re: [squid-users] Squid "acl port"
I got it,Thanks for your replies. - Original Message - From: "Amos Jeffries" To: "wangwen" Cc: Sent: Wednesday, September 30, 2009 10:29 AM Subject: Re: [squid-users] Squid "acl port" On Wed, 30 Sep 2009 09:46:04 +0800, "wangwen" wrote: Hi All. I have my question about the use of “acl port ” in squid.conf. Generally the proxy has the following three cases: 1. Standard proxy cache server: In order to realize this approach, We must indicate the Ip and port of proxy server in the browser of everyone internal host. 2. Transparent proxy cache server: The transparent cache intercepts network traffic, filters HTTP traffic (on port 80), and handles the request if the item is in the cache. 3. Reverse proxy cache server: It usually listen in 80 port to accept client request. When guests accessing proxy server, they will just feel like visiting backend server.User can't feel backend server here. In the first case: Entering “IP:port” in the browser we can access any website. According to IP address and port in the browser, Proxy server control user access. In this case we can use “acl port” in squid.conf to control access. In the second case: Entering “IP:port” in the browser we can access any website. But the request URL which not include port 80 will not be sent to proxy server. I think that “acl port” is useless In this case. In the third case: Entering “IP of reverse proxy server:port” in the browser we can access backend server. I think that “acl port” is useless In this case. From what we analyzed before,”acl port” only takes effect in the first case, or is it? If it is not, Can anybody give me some example using “acl port” in another cases? Thank you. When referring to the receiving http_port in squid prefer the myportname feature. All other port ACL types are unreliable in some modes. ACL type "port" - refers to the client destination port when on normal proxy mode. Reverse proxy mode this is the client destination port (provided NAT and load balancers have not been involved anywhere down the chain) which should usually be 80, but may be some other squid receiving accel port if used by web apps or altered by intermediate devices/software. ACL type "myport" - refers to squid receiving port. Reverse proxy mode expect this to be identical to the above (aka client destination port) when in reverse proxy mode. Usable in forward and reverse proxy mode for non-standard or multiple proxy listening ports. NOTE: _neither_ of these above methods works reliably in transparent mode. The IP:port for both squid and the client and the client destination are volatile based on system NAT capabilities. OR if they are reliably set should always be 80. Every install combo with operating system, firewall, NAT engine and Squid version needs to be tested to see what the ACL matches. TPROXY interception also faces the same problems with even weirder behavior, setting "myport" to the client source port which should be completely random and unusable. ACL type "myportname" - refers to the squid receiving port by explicit name in all modes. Amos
Re: [squid-users] Squid "acl port"
On Wed, 30 Sep 2009 09:46:04 +0800, "wangwen" wrote: > Hi All. > > I have my question about the use of “acl port ” in squid.conf. > > Generally the proxy has the following three cases: > > 1. Standard proxy cache server: In order to realize this approach, We must > indicate the Ip and port of proxy server in the browser of everyone > internal > host. > > 2. Transparent proxy cache server: The transparent cache intercepts network > traffic, filters HTTP traffic (on port 80), and handles the request if the > item is in the cache. > > 3. Reverse proxy cache server: It usually listen in 80 port to accept > client > request. When guests accessing proxy server, they will just feel like > visiting backend server.User can't feel backend server here. > > > In the first case: Entering “IP:port” in the browser we can access any > website. According to IP address and port in the browser, Proxy server > control user access. In this case we can use “acl port” in squid.conf to > control access. > > In the second case: Entering “IP:port” in the browser we can access any > website. But the request URL which not include port 80 will not be sent to > proxy server. I think that “acl port” is useless In this case. > > In the third case: Entering “IP of reverse proxy server:port” in the > browser we can access backend server. I think that “acl port” is useless > In this case. > > From what we analyzed before,”acl port” only takes effect in the first > case, or is it? If it is not, Can anybody give me some example using “acl > port” in another cases? > > Thank you. When referring to the receiving http_port in squid prefer the myportname feature. All other port ACL types are unreliable in some modes. ACL type "port" - refers to the client destination port when on normal proxy mode. Reverse proxy mode this is the client destination port (provided NAT and load balancers have not been involved anywhere down the chain) which should usually be 80, but may be some other squid receiving accel port if used by web apps or altered by intermediate devices/software. ACL type "myport" - refers to squid receiving port. Reverse proxy mode expect this to be identical to the above (aka client destination port) when in reverse proxy mode. Usable in forward and reverse proxy mode for non-standard or multiple proxy listening ports. NOTE: _neither_ of these above methods works reliably in transparent mode. The IP:port for both squid and the client and the client destination are volatile based on system NAT capabilities. OR if they are reliably set should always be 80. Every install combo with operating system, firewall, NAT engine and Squid version needs to be tested to see what the ACL matches. TPROXY interception also faces the same problems with even weirder behavior, setting "myport" to the client source port which should be completely random and unusable. ACL type "myportname" - refers to the squid receiving port by explicit name in all modes. Amos
[squid-users] Squid "acl port"
Hi All. I have my question about the use of “acl port ” in squid.conf. Generally the proxy has the following three cases: 1. Standard proxy cache server: In order to realize this approach, We must indicate the Ip and port of proxy server in the browser of everyone internal host. 2. Transparent proxy cache server: The transparent cache intercepts network traffic, filters HTTP traffic (on port 80), and handles the request if the item is in the cache. 3. Reverse proxy cache server: It usually listen in 80 port to accept client request. When guests accessing proxy server, they will just feel like visiting backend server.User can't feel backend server here. In the first case: Entering “IP:port” in the browser we can access any website. According to IP address and port in the browser, Proxy server control user access. In this case we can use “acl port” in squid.conf to control access. In the second case: Entering “IP:port” in the browser we can access any website. But the request URL which not include port 80 will not be sent to proxy server. I think that “acl port” is useless In this case. In the third case: Entering “IP of reverse proxy server:port” in the browser we can access backend server. I think that “acl port” is useless In this case. From what we analyzed before,”acl port” only takes effect in the first case, or is it? If it is not, Can anybody give me some example using “acl port” in another cases? Thank you.
Re: [squid-users] Squid ACL, allow url?
CopyrightPhilly wrote: hi, iv been trying for hours to try and get this to work, basicly this is what i am wanting to do, Deny if requested is not on allowed port Allow local users accounts (got this working) Allow if the requested url is *.mydomain.com Deny if no the above below what im using, - all the fully working... can anyone tell me what im doing wrong? thanks acl LocalServer url_regex -i *.mydomain.com acl LocalServer dstdomain .mydomain.com acl all src all http_access deny !Safe_ports http_access allow LocalUsers http_access allow LocalServer http_access deny all If thats not working, there is something elsewhere going wrong. What version of squid are you using? What type of errors are you seeing? Is Safe_ports defined properly? Is this trying to be an accelerator, or just a forward proxy with internal sites always allowed? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5
[squid-users] Squid ACL, allow url?
hi, iv been trying for hours to try and get this to work, basicly this is what i am wanting to do, Deny if requested is not on allowed port Allow local users accounts (got this working) Allow if the requested url is *.mydomain.com Deny if no the above below what im using, - all the fully working... can anyone tell me what im doing wrong? thanks acl LocalServer url_regex -i *.mydomain.com acl all src all http_access deny !Safe_ports http_access allow LocalUsers http_access allow LocalServer http_access deny all -- View this message in context: http://www.nabble.com/Squid-ACL%2C-allow-url--tp22141540p22141540.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Squid ACL Problem
It was a DNS zone problem that I've resolved. Thanks for all your help! -Original Message- From: Leonardo Rodrigues Magalhães [mailto:[EMAIL PROTECTED] Sent: Thursday, August 02, 2007 12:12 PM To: Heaton, Tobias Cc: Squid Users Subject: Re: [squid-users] Squid ACL Problem Heaton, Tobias escreveu: > No log entries are appearing from a network machine on the same subnet. The > only way I can generate an access.log entry is running the squidclient app w/ > the URL: > > squidclient http://www.apple.com > > access.log: > > 247 127.0.0.1 TCP_MISS/200 10226 GET http://www.apple.com - > DIRECT/17.149.160.10 text/html > > It displays the page correctly in the command shell which tells me the ACL is > working, at least from localhost. I cannot get anything across the network. squidclient will retrieve only the exact supplied URL, it's far from meaning that page would show. As I told, the page can reference other addresses and those different addresses can be blocked by your ACLs. If you're gettinng NOTHING from the network clients, then ACLs probably are NOT your problem. If the problem were ACLs, your clients would be getting 'ACCESS DENIED' page, supplied by squid, and TCP_DENIED logged on access.log. If nothing appears on the logs, then the requests are probably not even reaching your squid. Are the browsers manually configured to access through squid or the requests are being captured by transparent proxy ? If they are transparent, maybe your transparent rules arent working as expected. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] Squid ACL Problem
Heaton, Tobias escreveu: No log entries are appearing from a network machine on the same subnet. The only way I can generate an access.log entry is running the squidclient app w/ the URL: squidclient http://www.apple.com access.log: 247 127.0.0.1 TCP_MISS/200 10226 GET http://www.apple.com - DIRECT/17.149.160.10 text/html It displays the page correctly in the command shell which tells me the ACL is working, at least from localhost. I cannot get anything across the network. squidclient will retrieve only the exact supplied URL, it's far from meaning that page would show. As I told, the page can reference other addresses and those different addresses can be blocked by your ACLs. If you're gettinng NOTHING from the network clients, then ACLs probably are NOT your problem. If the problem were ACLs, your clients would be getting 'ACCESS DENIED' page, supplied by squid, and TCP_DENIED logged on access.log. If nothing appears on the logs, then the requests are probably not even reaching your squid. Are the browsers manually configured to access through squid or the requests are being captured by transparent proxy ? If they are transparent, maybe your transparent rules arent working as expected. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature
RE: [squid-users] Squid ACL Problem
No log entries are appearing from a network machine on the same subnet. The only way I can generate an access.log entry is running the squidclient app w/ the URL: squidclient http://www.apple.com access.log: 247 127.0.0.1 TCP_MISS/200 10226 GET http://www.apple.com - DIRECT/17.149.160.10 text/html It displays the page correctly in the command shell which tells me the ACL is working, at least from localhost. I cannot get anything across the network. -Original Message- From: Leonardo Rodrigues Magalhães [mailto:[EMAIL PROTECTED] Sent: Thursday, August 02, 2007 10:01 AM To: Heaton, Tobias Cc: Squid Users Subject: Re: [squid-users] Squid ACL Problem Post your DENIED log entries in access.log. Most probably apple.com site is using other domains different than apple.com. So, despite apple.com is allowed, those others are denied and the page cannot be accessed. Post your DENIED logs please. Heaton, Tobias escreveu: > The 'microsoft' ACLS are working fine - 'macintosh' is not: > > acl microsoft dstdomain .microsoft.com > acl macintosh dstdomain .apple.com > acl all src 0.0.0.0/0.0.0.0 > > http_access allow microsoft > http_access allow macintosh > http_access deny all > -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it
Re: [squid-users] Squid ACL Problem
Post your DENIED log entries in access.log. Most probably apple.com site is using other domains different than apple.com. So, despite apple.com is allowed, those others are denied and the page cannot be accessed. Post your DENIED logs please. Heaton, Tobias escreveu: The 'microsoft' ACLS are working fine - 'macintosh' is not: acl microsoft dstdomain .microsoft.com acl macintosh dstdomain .apple.com acl all src 0.0.0.0/0.0.0.0 http_access allow microsoft http_access allow macintosh http_access deny all -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature
RE: [squid-users] Squid ACL Problem
The 'microsoft' ACLS are working fine - 'macintosh' is not: acl microsoft dstdomain .microsoft.com acl macintosh dstdomain .apple.com acl all src 0.0.0.0/0.0.0.0 http_access allow microsoft http_access allow macintosh http_access deny all -Original Message- From: Tek Bahadur Limbu [mailto:[EMAIL PROTECTED] Sent: Thursday, August 02, 2007 9:25 AM To: Heaton, Tobias Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Squid ACL Problem Heaton, Tobias wrote: > Hello - I hope I'm writing to the correct place! > > I have Squid running on RHAS4 and it has been running perfectly for some > time. I added some new ACLs and http_access protocols mirroring exactly > what existed. I then reconfigured the squid client and even restarted > the machine itself, and I absolutely cannot get the ACLs to work! There > is no information appearing in the access.log or cache.log - I can't > find any trace of a machine even hitting those sites. Hi Heaton, Without seeing those ACLs you added, it will be very hard and difficult for us to diagnose your problem. > > Any help would be greatly appreciated!!! > > > -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
Re: [squid-users] Squid ACL Problem
Heaton, Tobias wrote: Hello - I hope I'm writing to the correct place! I have Squid running on RHAS4 and it has been running perfectly for some time. I added some new ACLs and http_access protocols mirroring exactly what existed. I then reconfigured the squid client and even restarted the machine itself, and I absolutely cannot get the ACLs to work! There is no information appearing in the access.log or cache.log - I can't find any trace of a machine even hitting those sites. Hi Heaton, Without seeing those ACLs you added, it will be very hard and difficult for us to diagnose your problem. Any help would be greatly appreciated!!! -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np
[squid-users] Squid ACL Problem
Hello - I hope I'm writing to the correct place! I have Squid running on RHAS4 and it has been running perfectly for some time. I added some new ACLs and http_access protocols mirroring exactly what existed. I then reconfigured the squid client and even restarted the machine itself, and I absolutely cannot get the ACLs to work! There is no information appearing in the access.log or cache.log - I can't find any trace of a machine even hitting those sites. Any help would be greatly appreciated!!!
RE: [squid-users] Squid ACL
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 06 July 2007 00:22 >To: Christian Vallant >Cc: squid-users@squid-cache.org >Subject: Re: [squid-users] Squid ACL > >> Hello, >> >> i need to solve following problem. >> I have an ldap-server, which i use to authenticate the user. >> If the user is in the group, he has access to the group A. If the >> authentications fails, he has access to the group B. >> >> Can anyone tell me, how i can solve this problem. >> >> I have already have an authentication, but the problem is, that if the >> user tries to authenticate, but he has no rights, the >> authentication-window >> comes again and again. But the user has to be in the group >> to_domains_without_auth and the other domains should be blocked. >> >> So, the relevant code looks like: >> >> auth_param basic program /etc/squid/ldapauth.pl >> acl for_inetusers proxy_auth REQUIRED >> >> acl to_domains_without_auth dstdomain >> "/var/ipcop/proxy/advanced/acls/dst_noauth >> .acl" >> >> >> Can anyone help me? >> > >Check the order of http_access * lines in your squid.conf. >They are processed in order, and for_inetusers needs to be preceeded by >any ACL that allow people through without Auth. > >For example: > >http_access allow anybody_without_auth >http_access allow for_inetusers >http_access deny all > >Amos Remember for rules to work effectively, at least one of them has to be true. I suspect this is why your authentication window keeps popping up. For example if someone isn't in the inetusers group, the result of the line http_access allow for_inetusers will be false and it will move on to the next line. You need the users to match a deny rule to stop the request being processed and output a squid error page to the user. The deny all rule should suffice. Hope this makes sense.
Re: [squid-users] Squid ACL
> Hello, > > i need to solve following problem. > I have an ldap-server, which i use to authenticate the user. > If the user is in the group, he has access to the group A. If the > authentications fails, he has access to the group B. > > Can anyone tell me, how i can solve this problem. > > I have already have an authentication, but the problem is, that if the > user tries to authenticate, but he has no rights, the > authentication-window > comes again and again. But the user has to be in the group > to_domains_without_auth and the other domains should be blocked. > > So, the relevant code looks like: > > auth_param basic program /etc/squid/ldapauth.pl > acl for_inetusers proxy_auth REQUIRED > > acl to_domains_without_auth dstdomain > "/var/ipcop/proxy/advanced/acls/dst_noauth > .acl" > > > Can anyone help me? > Check the order of http_access * lines in your squid.conf. They are processed in order, and for_inetusers needs to be preceeded by any ACL that allow people through without Auth. For example: http_access allow anybody_without_auth http_access allow for_inetusers http_access deny all Amos
[squid-users] Squid ACL
Hello, i need to solve following problem. I have an ldap-server, which i use to authenticate the user. If the user is in the group, he has access to the group A. If the authentications fails, he has access to the group B. Can anyone tell me, how i can solve this problem. I have already have an authentication, but the problem is, that if the user tries to authenticate, but he has no rights, the authentication-window comes again and again. But the user has to be in the group to_domains_without_auth and the other domains should be blocked. So, the relevant code looks like: auth_param basic program /etc/squid/ldapauth.pl acl for_inetusers proxy_auth REQUIRED acl to_domains_without_auth dstdomain "/var/ipcop/proxy/advanced/acls/dst_noauth .acl" Can anyone help me? Best regards Christian
Re: [squid-users] Squid ACL settings
[EMAIL PROTECTED] wrote: Hello, I would like to setup squid this way. All client from internal network(172.16.0.0) could reach external server 15.14.13.12 on all port. Many thanks. acl clients src 172.16.0.0/16 acl server dst 15.14.13.12 http_access allow clients server Proper placement in the squid.conf is left as an exercise for the reader. Also, be aware that Squid is STRICTLY an HTTP proxy (with a dash of FTP). Chris
[squid-users] Squid ACL settings
Hello, I would like to setup squid this way. All client from internal network(172.16.0.0) could reach external server 15.14.13.12 on all port. Many thanks.
RE: [squid-users] Squid ACL (Is this Possible)
ons 2006-09-20 klockan 11:28 +0100 skrev Mehmet, Levent (Accenture): > Thanks > > Please can you explain what this line means with its characters: > > acl NWW dstdom_regex \.?nww\. maybe a dot followed by nww followed by a dot, anywhere in the hostname component of the requested URL. Probably this is not was wat intended as "maybe a dot" is always true.. even in somethingnnw.example.com. I think the indended pattern more likely is (^|\.)nww\. which matches hostnames beginning with nww. or having .nww. anywhere in their name. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] Squid ACL (Is this Possible)
Hi This config u have suggested we use may not be able to support what we like: How would this access-list cope with a website like this: http://nww.nhsmessaging.co.uk/ or www.nhs.uk - this should go direct but nww.nhs.uk needs to go to peer acl NWW dstdom_regex \.?nww\. acl NHS dstdomain .nhs.uk cache_peer_access 3.3.3.3 allow NHS cache_peer_access 3.3.3.3 allow NWW never_direct allow NWW -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: 19 September 2006 19:56 To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid ACL (Is this Possible) Mehmet, Levent (Accenture) wrote: > All > > I currently have a setup which sends different domains to different > Cache_peers. This has been working fine with the below config.: > > cache_peer 1.1.1.1 parent 80 80 no-query cache_peer 2.2.2.2 parent 80 > 80 no-query cache_peer 3.3.3.3 parent 3128 3130 no-query > > cache_peer_domain 3.3.3.3 parent nww. .nhs.uk > Hmmm... I don't think that text followed by a dot is valid syntax for cache_peer_domain or dstdomain. I'd advise making a dstdom_regex acl and using cache_peer_access for this peer. Something like... acl NWW dstdom_regex \.?nww\. acl NHS dstdomain .nhs.uk cache_peer_access 3.3.3.3 allow NHS cache_peer_access 3.3.3.3 allow NWW never_direct allow NWW ...in addition to the other rules you have listed. > cache_peer_domain 1.1.1.1 parent .gsi.gov.uk cache_peer_domain 2.2.2.2 > parent .gsi.gov.uk > > acl NHS dstdomain nww. .nhs.uk > Obviously, this ACL should be adjusted as shown above. > acl GSI dstdomain .gsi.gov.uk > > cache_peer_access 3.3.3.3 allow NHS > cache_peer_access 1.1.1.1 allow GSI > > never_direct allow NHS > never_direct allow GSI > > > When trying to access http://nww.nhs.uk this goes via the correct path > of 3.3.3.3, but our clients now wish to access the following websites, > which cause a conflict: http://nww.nhsmessaging.co.uk/ Web sites like > this cause me a issue because of the .co.uk which tries to go direct > and nww tries to go via 3.3.3.3, also with > http://www.pasa.nhs.uk/cat_default.asp www. Go direct and the nhs.uk > tries to go via 3.3.3.3. This is a major show stopper for the company. > Is there a way around this as we need to send all nww down 3.3.3.3 > > Thanks > > > Levent Mehmet > Network Analyst > Server and Network Team > [EMAIL PROTECTED] Operate Unit > Market Towers, 20th Floor > 1 Nine Elms Lane > London > SW8 5NQ > > E-mail: [EMAIL PROTECTED] > Phone: +44 20 7084 3517 > Fax: +44 20 7084 2536 > Chris PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET. On entering the GSI, this email was scanned for viruses by the Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs. In case of problems, please call your organisational IT Helpdesk. The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit www.cctmark.gov.uk This email and any files transmitted with it are confidential. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this email is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received.Incoming and outgoing email messages are routinely monitored for compliance with the Department of Healths policy on the use of electronic communications. For more information on the Department of Healths email policy, click http;//www.doh.gov.uk/emaildisclaimer.htm The original of this email was scanned for viruses by Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs. On leaving the GSI this email was certified virus free. The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit www.cctmark.gov.uk
RE: [squid-users] Squid ACL (Is this Possible)
Thanks Please can you explain what this line means with its characters: acl NWW dstdom_regex \.?nww\. Sorry how should : Obviously, this ACL should be adjusted as shown above Thanks again -Original Message- From: Chris Robertson [mailto:[EMAIL PROTECTED] Sent: 19 September 2006 19:56 To: squid-users@squid-cache.org Subject: Re: [squid-users] Squid ACL (Is this Possible) Mehmet, Levent (Accenture) wrote: > All > > I currently have a setup which sends different domains to different > Cache_peers. This has been working fine with the below config.: > > cache_peer 1.1.1.1 parent 80 80 no-query cache_peer 2.2.2.2 parent 80 > 80 no-query cache_peer 3.3.3.3 parent 3128 3130 no-query > > cache_peer_domain 3.3.3.3 parent nww. .nhs.uk > Hmmm... I don't think that text followed by a dot is valid syntax for cache_peer_domain or dstdomain. I'd advise making a dstdom_regex acl and using cache_peer_access for this peer. Something like... acl NWW dstdom_regex \.?nww\. acl NHS dstdomain .nhs.uk cache_peer_access 3.3.3.3 allow NHS cache_peer_access 3.3.3.3 allow NWW never_direct allow NWW ...in addition to the other rules you have listed. > cache_peer_domain 1.1.1.1 parent .gsi.gov.uk cache_peer_domain 2.2.2.2 > parent .gsi.gov.uk > > acl NHS dstdomain nww. .nhs.uk > Obviously, this ACL should be adjusted as shown above. > acl GSI dstdomain .gsi.gov.uk > > cache_peer_access 3.3.3.3 allow NHS > cache_peer_access 1.1.1.1 allow GSI > > never_direct allow NHS > never_direct allow GSI > > > When trying to access http://nww.nhs.uk this goes via the correct path > of 3.3.3.3, but our clients now wish to access the following websites, > which cause a conflict: http://nww.nhsmessaging.co.uk/ Web sites like > this cause me a issue because of the .co.uk which tries to go direct > and nww tries to go via 3.3.3.3, also with > http://www.pasa.nhs.uk/cat_default.asp www. Go direct and the nhs.uk > tries to go via 3.3.3.3. This is a major show stopper for the company. > Is there a way around this as we need to send all nww down 3.3.3.3 > > Thanks > > > Levent Mehmet > Network Analyst > Server and Network Team > [EMAIL PROTECTED] Operate Unit > Market Towers, 20th Floor > 1 Nine Elms Lane > London > SW8 5NQ > > E-mail: [EMAIL PROTECTED] > Phone: +44 20 7084 3517 > Fax: +44 20 7084 2536 > Chris PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET. On entering the GSI, this email was scanned for viruses by the Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs. In case of problems, please call your organisational IT Helpdesk. The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit www.cctmark.gov.uk This email and any files transmitted with it are confidential. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this email is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received.Incoming and outgoing email messages are routinely monitored for compliance with the Department of Healths policy on the use of electronic communications. For more information on the Department of Healths email policy, click http;//www.doh.gov.uk/emaildisclaimer.htm The original of this email was scanned for viruses by Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs. On leaving the GSI this email was certified virus free. The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit www.cctmark.gov.uk
Re: [squid-users] Squid ACL (Is this Possible)
Mehmet, Levent (Accenture) wrote: All I currently have a setup which sends different domains to different Cache_peers. This has been working fine with the below config.: cache_peer 1.1.1.1 parent 80 80 no-query cache_peer 2.2.2.2 parent 80 80 no-query cache_peer 3.3.3.3 parent 3128 3130 no-query cache_peer_domain 3.3.3.3 parent nww. .nhs.uk Hmmm... I don't think that text followed by a dot is valid syntax for cache_peer_domain or dstdomain. I'd advise making a dstdom_regex acl and using cache_peer_access for this peer. Something like... acl NWW dstdom_regex \.?nww\. acl NHS dstdomain .nhs.uk cache_peer_access 3.3.3.3 allow NHS cache_peer_access 3.3.3.3 allow NWW never_direct allow NWW ...in addition to the other rules you have listed. cache_peer_domain 1.1.1.1 parent .gsi.gov.uk cache_peer_domain 2.2.2.2 parent .gsi.gov.uk acl NHS dstdomain nww. .nhs.uk Obviously, this ACL should be adjusted as shown above. acl GSI dstdomain .gsi.gov.uk cache_peer_access 3.3.3.3 allow NHS cache_peer_access 1.1.1.1 allow GSI never_direct allow NHS never_direct allow GSI When trying to access http://nww.nhs.uk this goes via the correct path of 3.3.3.3, but our clients now wish to access the following websites, which cause a conflict: http://nww.nhsmessaging.co.uk/ Web sites like this cause me a issue because of the .co.uk which tries to go direct and nww tries to go via 3.3.3.3, also with http://www.pasa.nhs.uk/cat_default.asp www. Go direct and the nhs.uk tries to go via 3.3.3.3. This is a major show stopper for the company. Is there a way around this as we need to send all nww down 3.3.3.3 Thanks Levent Mehmet Network Analyst Server and Network Team [EMAIL PROTECTED] Operate Unit Market Towers, 20th Floor 1 Nine Elms Lane London SW8 5NQ E-mail: [EMAIL PROTECTED] Phone: +44 20 7084 3517 Fax: +44 20 7084 2536 Chris
[squid-users] Squid ACL (Is this Possible)
All I currently have a setup which sends different domains to different Cache_peers. This has been working fine with the below config.: cache_peer 1.1.1.1 parent 80 80 no-query cache_peer 2.2.2.2 parent 80 80 no-query cache_peer 3.3.3.3 parent 3128 3130 no-query cache_peer_domain 3.3.3.3 parent nww. .nhs.uk cache_peer_domain 1.1.1.1 parent .gsi.gov.uk cache_peer_domain 2.2.2.2 parent .gsi.gov.uk acl NHS dstdomain nww. .nhs.uk acl GSI dstdomain .gsi.gov.uk cache_peer_access 3.3.3.3 allow NHS cache_peer_access 1.1.1.1 allow GSI never_direct allow NHS never_direct allow GSI When trying to access http://nww.nhs.uk this goes via the correct path of 3.3.3.3, but our clients now wish to access the following websites, which cause a conflict: http://nww.nhsmessaging.co.uk/ Web sites like this cause me a issue because of the .co.uk which tries to go direct and nww tries to go via 3.3.3.3, also with http://www.pasa.nhs.uk/cat_default.asp www. Go direct and the nhs.uk tries to go via 3.3.3.3. This is a major show stopper for the company. Is there a way around this as we need to send all nww down 3.3.3.3 Thanks Levent Mehmet Network Analyst Server and Network Team [EMAIL PROTECTED] Operate Unit Market Towers, 20th Floor 1 Nine Elms Lane London SW8 5NQ E-mail: [EMAIL PROTECTED] Phone: +44 20 7084 3517 Fax: +44 20 7084 2536 This email and any files transmitted with it are confidential. If you are not the intended recipient, any reading, printing, storage, disclosure, copying or any other action taken in respect of this email is prohibited and may be unlawful. If you are not the intended recipient, please notify the sender immediately by using the reply function and then permanently delete what you have received.Incoming and outgoing email messages are routinely monitored for compliance with the Department of Healths policy on the use of electronic communications. For more information on the Department of Healths email policy, click http;//www.doh.gov.uk/emaildisclaimer.htm The original of this email was scanned for viruses by Government Secure Intranet (GSi) virus scanning service supplied exclusively by Cable & Wireless in partnership with MessageLabs. On leaving the GSI this email was certified virus free. The MessageLabs Anti Virus Service is the first managed service to achieve the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK Government quality mark initiative for information security products and services. For more information about this please visit www.cctmark.gov.uk
Re: [squid-users] Squid acl containing hostnames issue
* Jason Bassett <[EMAIL PROTECTED]> wrote: > > I am therefore looking for the easiest and most time effective method > of blocking rooms when required. Hostnames seemed to be the best way. > > Any ideas on this issue? Restricting access an a per user Basis can also be done... just install an ident daemon with your netlogon script and forbid / allow access, based on them. Ident daemons are availably for most (all?) Openrating Systems... I have written a redirector, were you can allow / disallow access to users / hosts per webinterface on-the-fly ... maybe that's also an point :) See http://www.mcmilk.de/projects/squidwall/ for more information about the redirector. -- regards, TR
Re: [squid-users] Squid acl containing hostnames issue
Jason Bassett wrote: Hello I work in a secondary school with 5 IT suites each with 20-30 computers. I have created an acl for each room containing the hostnames of the machines for examle, an acl called R32 for room 32 contains: R32001 R32002 ... R32030 If I set this acl to deny, not all machines are denied access only a random group within the room. I originally run a GNU/Linux dhcp server to allocate static IPs to all network machines and then created acl's based on the IP ranges of machines in each room. This worked perfectly but now Research Machines who "support" us have demanded I remove the GNU/Linux dhcp server otherwise they will not "support" our installation. I am therefore looking for the easiest and most time effective method of blocking rooms when required. Hostnames seemed to be the best way. Any ideas on this issue? Thanks Jason How are IP addresses going to be supplied? Static assignment? Or is a Windows server going to be providing DHCP (Can you just have the Windows server supply the DHCP reservations)? How is the network set up? Could each room be set up on its own subnet (most gateways support DHCP pass through)? An other alternative: 1. Assign your Squid server an IP address for each room (e.g. 192.168.0.32, 192.168.0.33, etc). 2. Have each room use it's "assigned" IP for proxy (Room 32 uses 192.168.0.32:3128 for proxy). 3. Use "acl myip 192.168.0.32/32" to prevent access. Chris
[squid-users] Squid acl containing hostnames issue
Hello I work in a secondary school with 5 IT suites each with 20-30 computers. I have created an acl for each room containing the hostnames of the machines for examle, an acl called R32 for room 32 contains: R32001 R32002 ... R32030 If I set this acl to deny, not all machines are denied access only a random group within the room. I originally run a GNU/Linux dhcp server to allocate static IPs to all network machines and then created acl's based on the IP ranges of machines in each room. This worked perfectly but now Research Machines who "support" us have demanded I remove the GNU/Linux dhcp server otherwise they will not "support" our installation. I am therefore looking for the easiest and most time effective method of blocking rooms when required. Hostnames seemed to be the best way. Any ideas on this issue? Thanks Jason
RE: [squid-users] squid acl dhcp
We use NTLM Authentication here. The rules that you configure in squid.conf for the most part will only allow or deny access to authenticated users. In other words either everyone is allowed or everyone is denied. With squidGuard you can build an acl based on the option "userlist". Userlist points to a local file with a username on each line. You can then allow/deny based on that list. What I do is using the samba "net ads/rpc" tools, is run a query against the domain controller for certain criteria and build a local list of items. For example, say I want everyone in the company to be denied access to a certain website, except members of the HR department. I would run a query against the domain controller for all members in the HR group and build a local file with these names. I then schedule that as a cronjob to run every so often to keep this list up to date. Now I can create a rule that allows only people from HR (located in the local HREmployee file) access to this website. There are other cool things you can do with the net ads/rpc stuff. My squidGuard redirector urls go to a local php script. This script runs the (exec) command and gives me back results. I've been able to have squidGuard email offenders dynamically when they hit websites they shouldn't have. - Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 14, 2006 7:24 AM To: Nick Duda Subject: RE: [squid-users] squid acl dhcp thanks for your timely answer, however i don't seem to understand this part of your message, could you kindly elaborate "using net ads ldap searching) you can build custom files of users for processing policies" Quoting Nick Duda <[EMAIL PROTECTED]>: > > If your on a domain (AD/NT) look at NTLM authentication. That in > combination with squidGuard (using net ads ldap searching) you can build > custom files of users for processing policies. > > - Nick > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 14, 2006 7:15 AM > To: squid-users@squid-cache.org > Subject: [squid-users] squid acl dhcp > > > I have a LAN with DHCP, and sometimes the ip addresses change, worse > still i have many subnets. > how should i structure my acl's to involve as little administration as > possible. > > only a privileged few should access internet. > > -- > Peter Collins Wasenda > Network Administrator > IT Division, Corporate Services > Uganda Revenue Authority > P.O. Box 7279, Kampala > > Tel: (041)334474,334535 > Mob: 0752-996477 > > > --- > > > > This message was sent using IMP, the Internet Messaging Program. > > > > - > Confidentiality note > The information in this email and any attachment may contain confidential and > proprietary information of > VistaPrint and/or its affiliates and may be privileged or otherwise protected > from disclosure. If you are > not the intended recipient, you are hereby notified that any review, reliance > or distribution by others > or forwarding without express permission is strictly prohibited and may cause > liability. In case you have > received this message due to an error in transmission, please notify the > sender immediately and to delete > this email and any attachment from your system. > - > > -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 Mail:[EMAIL PROTECTED] --- This message was sent using IMP, the Internet Messaging Program. - Confidentiality note The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and to delete this email and any attachment from your system. -
Re: [squid-users] squid acl dhcp
* On 14/03/06 15:14 +0300, [EMAIL PROTECTED] wrote: | | I have a LAN with DHCP, and sometimes the ip addresses change, worse | still i have many subnets. | how should i structure my acl's to involve as little administration as | possible. | | only a privileged few should access internet. Use an authentication scheme not based on IPs! -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Fights between cats and dogs are prohibited by statute in Barber, North Carolina.
Re: [squid-users] squid acl dhcp
tis 2006-03-14 klockan 15:14 +0300 skrev [EMAIL PROTECTED]: > I have a LAN with DHCP, and sometimes the ip addresses change, worse > still i have many subnets. > how should i structure my acl's to involve as little administration as > possible. Use authentication. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
RE: [squid-users] squid acl dhcp
If your on a domain (AD/NT) look at NTLM authentication. That in combination with squidGuard (using net ads ldap searching) you can build custom files of users for processing policies. - Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 14, 2006 7:15 AM To: squid-users@squid-cache.org Subject: [squid-users] squid acl dhcp I have a LAN with DHCP, and sometimes the ip addresses change, worse still i have many subnets. how should i structure my acl's to involve as little administration as possible. only a privileged few should access internet. -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 --- This message was sent using IMP, the Internet Messaging Program. - Confidentiality note The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and to delete this email and any attachment from your system. -
[squid-users] squid acl dhcp
I have a LAN with DHCP, and sometimes the ip addresses change, worse still i have many subnets. how should i structure my acl's to involve as little administration as possible. only a privileged few should access internet. -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 --- This message was sent using IMP, the Internet Messaging Program.
[squid-users] Squid ACL as per User name / Group Name
Dear Squid Enlightened, I was looking for a way by which I could filter the content as per the group Example: I have a group named Text , and Graphics The users belonging to the Text group must be able to only view the text of any website i.e all the Graphics , Flash gets restricted to these user. On other hand the users belonging to the Graphics users must be able to view the Graphics and the text content of any website they visit. I am using pam_auth for authentication. Is their a way to do this with ACL list. Would appreciate any help or pointers to achieve the above. -- With Best Regards, Vishal Kashyap. Lead Software Developer, http://saihertz.com, http://vishalkashyap.tk
Re: [squid-users] Squid ACL [url_regex] bypass vulnerability
On Tue, 15 Feb 2005, Yong Bong Fong wrote: A bug in Squid allows users to bypass certain access controls by passing a URL containing "%00" which exploits the Squid decoding function. See http://www.squid-cache.org/Advisories/SQUID-2004_1.txt for details of this old vulnerability. Does it mean that any url containing the symbol "%" will not work with url_regex? url_regex normalizes the URL, if not it would be trivial to bypass by just %nn encoding sensitive parts. As a sideeffect matching % is not easy. Regards Henrik
[squid-users] Squid ACL [url_regex] bypass vulnerability
Dear all, I read from http://esikker.dk/vul_14462.php says that A bug in Squid allows users to bypass certain access controls by passing a URL containing "%00" which exploits the Squid decoding function. This may insert a NUL character into decoded URLs, which may allow users to bypass url_regex access control lists that are enforced upon them. In such a scenario, Squid will insert a NUL character after the"%00" and it will make a comparison between the URL to the end of the NUL character rather than the contents after it: the comparison does not result in a match, and the user's request is not denied. Does it mean that any url containing the symbol "%" will not work with url_regex? I ask this because whenever I configure my url_regex to detect % it never does so. And then i read about the above from some website. Not sure if I am right in my understanding of the above article. please help me with that, thanks a million for helping
Re: [squid-users] SQUID- ACL for different time frame for different block of IP addresses.
Hi Thomas I am not familiar too, but I write my acl-s different I deny every trafic I don't want to have the "http_access allow Safe_ports" ... allows everything i htink the restrictions would I write acl time1 time 08:00-10:00 acl time2 time 10:00-12:00 http_access deny slot1_ip !time1 http_access deny slot2_ip !time2 Alexander --- thomas <[EMAIL PROTECTED]> wrote: > Dear All > Requirement has arisen to provide access to a group of machine > categorized based on IP address. > > ACL created is as follows:- > > acl fulltime_ip 10.10.10.40-10.10.10.254 > acl slot1_ip src 10.10.10.25 10.10.10.3010.10.10.35 > acl slot1_time time 08:00-10:00 > acl slot2_ip src 10.10.10.39 10.10.10.40 10.10.10.41 > acl slot2_time time 10:00-12:00 > acl CONNECT method CONNECT > acl ncsa_users proxy_auth REQUIRED > > HTTP_ACCESS statements are as follows:- > > http_access allow localhost > http_access allow ncsa_users > http_access allow slot1_ip slot1_time > http_access allow slot2_ip slot2_time > http_access allow fulltime_ip > http_access allow Safe_ports > http_reply_access allow all > icp_access allow all > miss_access allow all > http_access allow SSL_ports > http_access deny all > > Q1= With above ACL and http_access, machines are not getting denied > though they are supposed to be denied apart from their specified time > slot. > > Q2= Is the http_access sequence OK? If not what should be? > > Q3= Please suggest better way of doing the same? > > Q4= Similar to http_access sequence, should I have to take care of acl > statement sequence too? > > TIA > __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com
RE: [squid-users] SQUID- ACL for different time frame for differe nt block of IP addresses.
> -Original Message- > From: thomas [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 08, 2005 8:16 AM > To: squid-users@squid-cache.org > Subject: [squid-users] SQUID- ACL for different time frame for different > block of IP addresses. > > > Dear All > Requirement has arisen to provide access to a group of machine > categorized based on IP address. > > ACL created is as follows:- > > acl fulltime_ip 10.10.10.40-10.10.10.254 > acl slot1_ip src 10.10.10.25 10.10.10.3010.10.10.35 > acl slot1_time time 08:00-10:00 > acl slot2_ip src 10.10.10.39 10.10.10.40 10.10.10.41 > acl slot2_time time 10:00-12:00 > acl CONNECT method CONNECT > acl ncsa_users proxy_auth REQUIRED > > HTTP_ACCESS statements are as follows:- > > http_access allow localhost > http_access allow ncsa_users ^ All authenticated users (no matter the IP or the time, source or destination) are allowed access > http_access allow slot1_ip slot1_time > http_access allow slot2_ip slot2_time > http_access allow fulltime_ip > http_access allow Safe_ports ^ Everyone (no matter the IP or the time) is allowed access to Safe_ports > http_reply_access allow all > icp_access allow all > miss_access allow all > http_access allow SSL_ports > http_access deny all > > Q1= With above ACL and http_access, machines are not getting denied > though they are supposed to be denied apart from their specified time > slot. > > Q2= Is the http_access sequence OK? If not what should be? > > Q3= Please suggest better way of doing the same? > > Q4= Similar to http_access sequence, should I have to take care of acl > statement sequence too? > > TIA This is probably how you want to do it: http_access deny !Safe_ports # Deny anyone from accessing a "non-safe" port http_access deny CONNECT !SSL_ports # Deny CONNECT requests to non-SSL ports http_access deny !ncsa_auth # Require authentication http_access allow localhost # Allow surfing from the local machine (with authentication) http_access allow slot1_ip slot1_time # Allow slot1 IPs during their time (with authentication) http_access allow slot2_ip slot2_time # Allow slot2 IPs during their time (with authentication) http_access allow fulltime_ip # Allow fulltime IPs anytime (with authentication) http_access deny all # Just for clarity icp_access is only useful (to the best of my knowledge) if you have sibling or child caches. http_reply_access only needs to be specifically allowed if you are denying some. Chris
[squid-users] SQUID- ACL for different time frame for different block of IP addresses.
Dear All Requirement has arisen to provide access to a group of machine categorized based on IP address. ACL created is as follows:- acl fulltime_ip 10.10.10.40-10.10.10.254 acl slot1_ip src 10.10.10.25 10.10.10.3010.10.10.35 acl slot1_time time 08:00-10:00 acl slot2_ip src 10.10.10.39 10.10.10.40 10.10.10.41 acl slot2_time time 10:00-12:00 acl CONNECT method CONNECT acl ncsa_users proxy_auth REQUIRED HTTP_ACCESS statements are as follows:- http_access allow localhost http_access allow ncsa_users http_access allow slot1_ip slot1_time http_access allow slot2_ip slot2_time http_access allow fulltime_ip http_access allow Safe_ports http_reply_access allow all icp_access allow all miss_access allow all http_access allow SSL_ports http_access deny all Q1= With above ACL and http_access, machines are not getting denied though they are supposed to be denied apart from their specified time slot. Q2= Is the http_access sequence OK? If not what should be? Q3= Please suggest better way of doing the same? Q4= Similar to http_access sequence, should I have to take care of acl statement sequence too? TIA
Re: [squid-users] Squid ACL
On Sun, Sep 12, 2004 at 12:57:16PM +0200, Marek Pawinski wrote: > I want to bypass my proxy server for a certain https url with a certain > port, i have tried with webmin with no luck. What would i put in > squid.conf to achieve this ? What part of squid do you want to bypass? Obviously you cannot bypass Squid completely by configuring anything in the squid.conf. The moment that Squid receives the query it is already too late. (Although this is frequently asked on IRC.) You need to make the browsers not even ask Squid for that URLs. Cheers Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%--3,41 All
[squid-users] Squid ACL
Hi I want to bypass my proxy server for a certain https url with a certain port, i have tried with webmin with no luck. What would i put in squid.conf to achieve this ? Marek
Re: [squid-users] squid acl
But you do not 'tell' him the program authentication: the line with : authenticate_program /.../ncsa_auth file_with_users !! ok i think its a bad think to use webmin with squid i prefer now to add directly to squid.conf so i try #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localdomain src 192.168.0.0/255.255.255.0 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl Users proxy_auth REQUIRED http_access allow manager localdomain http_access allow localdomain # Deny requests to unknown ports http_access deny manager # Deny CONNECT to other than SSL ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports auth_param basic /usr/lib/squid/ncsa_auth /etc/squid/users and i get [EMAIL PROTECTED] squid]# squid -D 2004/06/04 13:10:00| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl Users proxy_auth REQUIRED' because no authentication schemes are fully configured. 2004/06/04 13:10:00| aclParseAclLine: IGNORING invalid ACL: acl Users proxy_auth REQUIRED 2004/06/04 13:10:00| unrecognised basic auth scheme parameter '/usr/lib/squid/ncsa_auth' thanks
Re: [squid-users] squid acl
> > after i add in my webmin's authentification plugin > > /usr/lib/squid/ncsa_auth /etc/squid/usersUsers > > Change the permission of the /etc/squid/usersUsers file to cache_effective_user setting user permission. > You have to put a line > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/usersUsers > then your > acl Users proxy_auth REQUIRED > referer to authentication program or > to be clear > acl ncsa proxy_auth REQUIRED > > Now you have to create who will be yours clients for authentication. > Check it with command line as /usr/lib/squid/ncsa_auth /etc/squid/usersUsers user1 password1 (where user1 - username passowrd1 - password for user1) OK or ERR If you get Ok,the you are having the user in the system and your ncsa_auth method is good to patch in Squid. Regards, Muthukumar. --- === It is a "Virus Free Mail" === Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
Re: [squid-users] squid acl
deny1 wrote: Who is Users? see http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth ihave created /etc/squid/users and write my users and pass after i add in my webmin's authentification plugin /usr/lib/squid/ncsa_auth /etc/squid/usersUsers A++ But in your squid.conf isn' it. You have to put a line auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/usersUsers then your acl Users proxy_auth REQUIRED referer to authentication program or to be clear acl ncsa proxy_auth REQUIRED Now you have to create who will be yours clients for authentication. Emilio C. smime.p7s Description: S/MIME Cryptographic Signature
Re: [squid-users] squid acl
Who is Users? see http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth ihave created /etc/squid/users and write my users and pass after i add in my webmin's authentification plugin /usr/lib/squid/ncsa_auth /etc/squid/usersUsers A++
Re: [squid-users] squid acl
> hello good morning > i am setting squid with the ncsa_auth plugin > What is your authentication program setting in squid.conf file? Regards, Muthukumar. --- === It is a "Virus Free Mail" === Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
Re: [squid-users] squid acl
--- deny1 <[EMAIL PROTECTED]> a écrit : > hello good morning > i am setting squid with the ncsa_auth plugin > > here is my acls in squid.conf > > Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localdomain src 192.168.0.0/255.255.255.0 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 > acl Safe_ports port 21 > acl Safe_ports port 443 563 > acl Safe_ports port 70 > acl Safe_ports port 210 > acl Safe_ports port 1025-65535 > acl Safe_ports port 280 > acl Safe_ports port 488 > acl Safe_ports port 591 > acl Safe_ports port 777 > acl CONNECT method CONNECT > acl Users proxy_auth REQUIRED > > > > > > > > > # Only allow cachemgr access from localhost > http_access allow manager localdomain > http_access deny !Users > # Deny requests to unknown ports > http_access allow localdomain > # Deny CONNECT to other than SSL ports > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > > when i launched squid i get > > Failed to reconfigure squid : > > 2004/06/04 08:49:56| aclParseAclLine: IGNORING: > Proxy Auth ACL 'acl > Users proxy_auth REQUIRED' because no authentication > schemes are fully > configured. > 2004/06/04 08:49:56| aclParseAclLine: IGNORING > invalid ACL: acl Users > proxy_auth REQUIRED > 2004/06/04 08:49:56| squid.conf line 1758: > http_access deny !Users > 2004/06/04 08:49:56| aclParseAccessLine: ACL name > 'Users' not found. > 2004/06/04 08:49:56| squid.conf line 1758: > http_access deny !Users > 2004/06/04 08:49:56| aclParseAccessLine: Access line > contains no ACL's, > skipping > > > thanks But you do not 'tell' him the program authentication: the line with : authenticate_program /.../ncsa_auth file_with_users !! = = Déborah Malka Yahoo! Mail : votre e-mail personnel quel que soit votre fournisseur daccès - avec anti-virus gratuit ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com
Re: [squid-users] squid acl
deny1 wrote: hello good morning i am setting squid with the ncsa_auth plugin here is my acls in squid.conf Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localdomain src 192.168.0.0/255.255.255.0 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl Users proxy_auth REQUIRED # Only allow cachemgr access from localhost http_access allow manager localdomain http_access deny !Users # Deny requests to unknown ports http_access allow localdomain # Deny CONNECT to other than SSL ports http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports when i launched squid i get Failed to reconfigure squid : 2004/06/04 08:49:56| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl Users proxy_auth REQUIRED' because no authentication schemes are fully configured. 2004/06/04 08:49:56| aclParseAclLine: IGNORING invalid ACL: acl Users proxy_auth REQUIRED 2004/06/04 08:49:56| squid.conf line 1758: http_access deny !Users 2004/06/04 08:49:56| aclParseAccessLine: ACL name 'Users' not found. 2004/06/04 08:49:56| squid.conf line 1758: http_access deny !Users 2004/06/04 08:49:56| aclParseAccessLine: Access line contains no ACL's, skipping thanks Who is Users? see http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth Emilio C. smime.p7s Description: S/MIME Cryptographic Signature
[squid-users] squid acl
hello good morning i am setting squid with the ncsa_auth plugin here is my acls in squid.conf Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localdomain src 192.168.0.0/255.255.255.0 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT acl Users proxy_auth REQUIRED # Only allow cachemgr access from localhost http_access allow manager localdomain http_access deny !Users # Deny requests to unknown ports http_access allow localdomain # Deny CONNECT to other than SSL ports http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports when i launched squid i get Failed to reconfigure squid : 2004/06/04 08:49:56| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl Users proxy_auth REQUIRED' because no authentication schemes are fully configured. 2004/06/04 08:49:56| aclParseAclLine: IGNORING invalid ACL: acl Users proxy_auth REQUIRED 2004/06/04 08:49:56| squid.conf line 1758: http_access deny !Users 2004/06/04 08:49:56| aclParseAccessLine: ACL name 'Users' not found. 2004/06/04 08:49:56| squid.conf line 1758: http_access deny !Users 2004/06/04 08:49:56| aclParseAccessLine: Access line contains no ACL's, skipping thanks
Re: [squid-users] Squid ACL
On Mon, May 17, 2004 at 02:36:20PM +0200, Skarbet wrote: > i'm using squid2.4stable7 and trying to stop user from > downloading large file and access some server.this is > my ACL: > > #My Access List > acl limit_conn src 192.168.1.0/24 > acl 6conn maxconn 6 > acl post method post > acl exe urlpath_regex -i \.exe$ > acl local src 192.168.1.0/24 > acl download dstdomain .download.com > acl telecharger dstdomain .telecharger.com > acl multimedia urlpath_regex -i \.mp3$ \.mpg$ \.mpeg$ > \.rm$ \.avi$ \.asf$ \.wma$ \.wav$ \.wmv$ \.ogg$ > \.midi$ \.mov$ \.movie$ > acl application urlpath_regex -i \.zip$ \.rar$ \.gz$ > \.tgz$ \.bz2$ \.msi$ \.bin$ \.tar$ \.com$ > #END My Access List > > #My Rules > http_access allow local > http_access deny 6conn limit_conn > http_access deny download > http_access deny telecharger > http_access deny exe !post > http_access deny multimedia > http_access deny application > #END MY RULES > > but this does not work !!! can u show > me what's wrong ? Are you sure you first allow all local IPs through and then want to restrict them? Or are your clients on different networks than 192.168.1.0/24? Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%--3,41 All
Re: [squid-users] Squid ACL
Your first ACL allow full access from local network (192.168.1.0/24) if your user arre inthis range squid will never go furher on the ACL check. Move the first line at the end. So squid will proceed your deny first. Ragards, Arno Skarbet <[EMAIL PROTECTED]To: [EMAIL PROTECTED] fr> cc: Subject: [squid-users] Squid ACL 17.05.04 14:36 Hi, i'm using squid2.4stable7 and trying to stop user from downloading large file and access some server.this is my ACL: #My Access List acl limit_conn src 192.168.1.0/24 acl 6conn maxconn 6 acl post method post acl exe urlpath_regex -i \.exe$ acl local src 192.168.1.0/24 acl download dstdomain .download.com acl telecharger dstdomain .telecharger.com acl multimedia urlpath_regex -i \.mp3$ \.mpg$ \.mpeg$ \.rm$ \.avi$ \.asf$ \.wma$ \.wav$ \.wmv$ \.ogg$ \.midi$ \.mov$ \.movie$ acl application urlpath_regex -i \.zip$ \.rar$ \.gz$ \.tgz$ \.bz2$ \.msi$ \.bin$ \.tar$ \.com$ #END My Access List #My Rules http_access allow local http_access deny 6conn limit_conn http_access deny download http_access deny telecharger http_access deny exe !post http_access deny multimedia http_access deny application #END MY RULES but this does not work !!! can u show me what's wrong ? Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com ** DISCLAIMER - E-MAIL --- The information contained in this E-Mail is intended for the named recipient(s). It may contain certain privileged and confidential information, or information which is otherwise protected from disclosure. If you are not the intended recipient, you must not copy,distribute or take any action in reliance on this information **
RE: [squid-users] Squid ACL
I don't know if this will solve it but I have this rule at the end of my acl (denies everything that doesn't match your rule) http_access deny all -Original Message- From: Skarbet [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: [squid-users] Squid ACL Hi, i'm using squid2.4stable7 and trying to stop user from downloading large file and access some server.this is my ACL: #My Access List acl limit_conn src 192.168.1.0/24 acl 6conn maxconn 6 acl post method post acl exe urlpath_regex -i \.exe$ acl local src 192.168.1.0/24 acl download dstdomain .download.com acl telecharger dstdomain .telecharger.com acl multimedia urlpath_regex -i \.mp3$ \.mpg$ \.mpeg$ \.rm$ \.avi$ \.asf$ \.wma$ \.wav$ \.wmv$ \.ogg$ \.midi$ \.mov$ \.movie$ acl application urlpath_regex -i \.zip$ \.rar$ \.gz$ \.tgz$ \.bz2$ \.msi$ \.bin$ \.tar$ \.com$ #END My Access List #My Rules http_access allow local http_access deny 6conn limit_conn http_access deny download http_access deny telecharger http_access deny exe !post http_access deny multimedia http_access deny application #END MY RULES but this does not work !!! can u show me what's wrong ? Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com
[squid-users] Squid ACL
Hi, i'm using squid2.4stable7 and trying to stop user from downloading large file and access some server.this is my ACL: #My Access List acl limit_conn src 192.168.1.0/24 acl 6conn maxconn 6 acl post method post acl exe urlpath_regex -i \.exe$ acl local src 192.168.1.0/24 acl download dstdomain .download.com acl telecharger dstdomain .telecharger.com acl multimedia urlpath_regex -i \.mp3$ \.mpg$ \.mpeg$ \.rm$ \.avi$ \.asf$ \.wma$ \.wav$ \.wmv$ \.ogg$ \.midi$ \.mov$ \.movie$ acl application urlpath_regex -i \.zip$ \.rar$ \.gz$ \.tgz$ \.bz2$ \.msi$ \.bin$ \.tar$ \.com$ #END My Access List #My Rules http_access allow local http_access deny 6conn limit_conn http_access deny download http_access deny telecharger http_access deny exe !post http_access deny multimedia http_access deny application #END MY RULES but this does not work !!! can u show me what's wrong ? Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com
RE: [squid-users] squid acl help needed
> The time acl is an exception that you can only list a single time per > line, but you can still list multiple lines. That I did not know - thanks for the correction. Adam
Re: [squid-users] squid acl help needed
On Fri, 19 Sep 2003, Payal Rathod wrote: > Wowww! I thought that three acls by the same name might create a > problem. Not as long as you always stuff the same type of content into the acl. For most ACLs you can list as many things as you want to match on the same line, or on multiple lines. The time acl is an exception that you can only list a single time per line, but you can still list multiple lines. Regards Henrik
RE: [squid-users] squid acl help needed
>> Then replace lunchbreak with the following >> >> acl coffeebreak time 09:00-10:00 >> acl coffeebreak time 13:00-14:00 >> acl coffeebreak time 18:00-19:00 > > Wowww! I thought that three acls by the same name might > create a problem. No, all it does is combine them - just as if you did: acl coffeebreak time 09:00-10:00 13:00-14:00 18:00-19:00 Both will work. Adam
Re: [squid-users] squid acl help needed
On Fri, Sep 19, 2003 at 02:14:49PM +0200, Henrik Nordstrom wrote: > On Fri, 19 Sep 2003, Payal Rathod wrote: > > > What if I have to allow from time 09:00-10:00 and 6:00-07:00 too with > > lunchbreak? > > > > I mean the users can access hotmail, yahoo in the abvoe 3 hours only. > > Then replace lunchbreak with the following > > acl coffeebreak time 09:00-10:00 > acl coffeebreak time 13:00-14:00 > acl coffeebreak time 18:00-19:00 Wowww! I thought that three acls by the same name might create a problem. -Payal > Regards > Henrik > > > note: Squid-2.5.STABLE2 or later required, for earlier versions you need > to create one ACL per time interval > -- For GNU/Linux Success Stories and Articles visit: http://payal.staticky.com
Re: [squid-users] squid acl help needed
On Fri, 19 Sep 2003, Payal Rathod wrote: > What if I have to allow from time 09:00-10:00 and 6:00-07:00 too with > lunchbreak? > > I mean the users can access hotmail, yahoo in the abvoe 3 hours only. Then replace lunchbreak with the following acl coffeebreak time 09:00-10:00 acl coffeebreak time 13:00-14:00 acl coffeebreak time 18:00-19:00 Regards Henrik note: Squid-2.5.STABLE2 or later required, for earlier versions you need to create one ACL per time interval
Re: [squid-users] squid acl help needed
On Thu, Sep 18, 2003 at 03:28:27PM +0200, Henrik Nordstrom wrote: acl my_network src 192.168.10.0/24 ... [...] Thanks for the mail. It worksbeautifully. Just one small question below. > acl webmail dstdomain .yahoo.com .hotmail.com > acl lunchbreak time 13:00-14:00 > http_access deny !lunchbreak webmail > http_access allow my_network What if I have to allow from time 09:00-10:00 and 6:00-07:00 too with lunchbreak? I mean the users can access hotmail, yahoo in the abvoe 3 hours only. Thanks a lot again and bye. With warm regards, -Payal -- "Visit GNU/Linux Success Stories" http://payal.staticky.com Guest-Book Section Updated.
Re: [squid-users] squid acl help needed
On Thu, 18 Sep 2003, Payal Rathod wrote: > Hi, > I am at a loss to configure squid acl meeting the following > requirements. > > 1. All clients must have internet access throughout the day. acl my_network src 192.168.10.0/24 ... [used below] > 2. Clients 192.168.10.1, 192.168.10.2, 192.168.10.5 (can be > changed to something appropriate if you wish) will have access to all > sites throughout the day. acl special_clients src 192.168.10.1 ... http_access allow special_clients > 3. Rest all can access net/other sites throughout but can access yahoo.com and > hotmail.com *only* during 1:00 pm to 2:00 pm acl webmail dstdomain .yahoo.com .hotmail.com acl lunchbreak time 13:00-14:00 http_access deny !lunchbreak webmail http_access allow my_network in the order given, where instructed to by the comments in the default squid.conf. Regards Henrik
RE: [squid-users] squid acl help needed
> I am at a loss to configure squid acl meeting the following > requirements. There is a Squid FAQ on how acl and http_access logic works; read that if you haven't already. You'll need src, time, and dstdomain acls to get this to work, and you'll need to order them in http_acces properly. More info on the acls is available in the default squid.conf. If you try a specific setup and it doesn't do what you want, post to the list again. Explain what it is doing, what you expected it to do, and provide your squid.conf (without comments or blank lines). Adam
[squid-users] squid acl help needed
Hi, I am at a loss to configure squid acl meeting the following requirements. 1. All clients must have internet access throughout the day. 2. Clients 192.168.10.1, 192.168.10.2, 192.168.10.5 (can be changed to something appropriate if you wish) will have access to all sites throughout the day. 3. Rest all can access net/other sites throughout but can access yahoo.com and hotmail.com *only* during 1:00 pm to 2:00 pm Can this be done with squid? I cannot think of appropriate acls and appropriate order in which to put them. Can someone help on this? With warm regards, -Payal -- "Visit GNU/Linux Success Stories" http://payal.staticky.com Guest-Book Section Updated.