Re: [squid-users] squid acl + user through ssh

[Albert Shih]

Le 18/04/2024 à 18:42:57-0500, Grant Taylor a écrit
> On 4/18/24 2:46 PM, Albert Shih wrote:
> > So what I'm trying to do is to use ACL according to the user who make
> > the ssh connection, I don't want «another» authentication.
> 
> About the only thing that comes to mind is RFC 931 (?) ident (might be okay
> on the same system) or something that matches the process owner. (I'm
> thinking iptables process owner match extension.)
> 
> But my testing seems to show that such port forwarding is done by the ssh
> daemon owner process not the connecting user.

Yes. Indeed. 
> 
> If it wasn't for your "don't want another authentication" I'd wonder about
> username and password creds to authenticate to Squid.

WellIt's not me who don't want another authentication, it's the
application (not a web browser) who only know (and I'm not sure of that
yet) how to do a basic http authentication. 

Regards

-- 
Albert SHIH 嶺 
France
Heure locale/Local time:
ven. 19 avril 2024 07:58:44 CEST
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid acl + user through ssh

[Grant Taylor]

On 4/18/24 2:46 PM, Albert Shih wrote:
So what I'm trying to do is to use ACL according to the user who make 
the ssh connection, I don't want «another» authentication.


About the only thing that comes to mind is RFC 931 (?) ident (might be 
okay on the same system) or something that matches the process owner. 
(I'm thinking iptables process owner match extension.)


But my testing seems to show that such port forwarding is done by the 
ssh daemon owner process not the connecting user.


If it wasn't for your "don't want another authentication" I'd wonder 
about username and password creds to authenticate to Squid.




--
Grant. . . .
unix || die

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid acl + user through ssh

[Albert Shih]

Le 18/04/2024 à 18:13:41+0100, Francesco Chemolli a écrit
Hi, 

> Sure, of course. It will work just as normal.
> The only type of ACLs that would need to be considered is source-based

Ok, thanks, but just to be sure, because re-reading myself I was not very clear
about my question. 

So what I'm trying to do is to use ACL according to the user who make the
ssh connection, I don't want «another» authentication. 

So let's say 

  ssh -L 3128:squid_server:3128 user1@ssh-portal 

the squid will match

acl aclforuser1 ident user1

and

  ssh -L 3128:squid_server:3128 user2@ssh-portal

the squid will match

acl aclforuser2 ident user2


Thanks. 

-- 
Albert SHIH 嶺 
France
Heure locale/Local time:
jeu. 18 avril 2024 21:40:33 CEST
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid acl + user through ssh

[Francesco Chemolli]

Sure, of course. It will work just as normal.
The only type of ACLs that would need to be considered is source-based


@mobile


On Thu, 18 Apr 2024 at 18:09, Albert Shih  wrote:

> Hi everyone
>
> If a user use a ssh tunnel to access to squid like
>
>   ssh -L 3128:squid_server:3128 ssh-portal
>
> then configure his browser to use 127.0.0.1:3128 to access the squid proxy
> is they are a way to use «acl by user» in the squid configuration ?
>
> Thanks
>
> --
> Albert SHIH 嶺 
> France
> Heure locale/Local time:
> jeu. 18 avril 2024 19:06:02 CEST
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ACL for bypassing ssl-bump

[Alex Rousskov]

On 2/26/21 12:45 PM, Justin Michael Schwartzbeck wrote:

> For case 2 and 3, what you are saying is that the browser is requesting
> the DNS lookup first, correct?

Correct, but that does not really matter.


> Hence the need for a reverse DNS from
> squid, since squid does not know at that point what domain the IP
> belongs to.

Squid "does not know" because all Squid gets is an IP address (in those
two cases).


> But they still had to query the DNS server, so that entry is
> in that DNS cache, and it should have the same domain as the lookup that
> the user entered.

DNS does not support what feels natural to you. You are thinking of a
name:IP cache entry that can be looked up by IP. That is a natural
model, but it does not match reality. DNS simply does not have an
interface that says "find me a name that maps to IP Y". DNS essentially
has only one interface: "find me what maps to name X". That is it! There
is just no way to ask a DNS server what name in its cache maps to an IP
address.

For reverse DNS lookups, the DNS client constructs an IP-based _name_ in
a special in-addr.arpa DNS zone and uses that name to query the DNS
server. For example, a "reverse" lookup for 127.0.0.1 is really a lookup
for the "1.0.0.127.in-addr.arpa" name. And that lookup follows all the
DNS rules about contacting authoritative servers for the zone, etc.; the
DNS server does not really "know" that what you really want is a cached
domain name for that 127.0.0.1 IP address.


> So if I have a local dns (maybe dnsmasq) that both squid and the user
> use, from what I understand I should be able to use squid's
> dns_nameservers directive to point to that DNS, and it should return
> fine since it is stored right there in the cache.

The IP may be stored, but it cannot be looked up using DNS.

Alex.


> On Fri, Feb 26, 2021 at 9:44 AM Alex Rousskov wrote:
> 
> On 2/26/21 7:35 AM, Justin Michael Schwartzbeck wrote:
> >> Yes, many HTTPS transactions do not expose destination domain
> until it
> >> is too late to decide whether to bump them, and reverse DNS
> lookups are
> >> often unreliable.
> 
> > I wonder why this would be.
> 
> I suspect you assume that a forward DNS lookup (A or  query) answer
> is always the "opposite" of a reverse DSN lookup (PTR query) answer.
> AFAIK, that is not how DNS is defined. From DNS point of view, each of
> those answers is totally independent -- there is no 1:1 or even 1:N
> mapping between them; the answers even come from different DNS zones!  A
> caching DNS resolver would probably violate the DNS protocol if it uses
> a cached A or  record to answer a PTR query. Disclaimer: I am not a
> DNS expert.
> 
> 
> > From my understanding, when you open a
> > browser and browse to www.google.com , the very
> > first thing that happens is you do a DNS resolution so that you know
> > what IP to send the CONNECT request and subsequent HTTPS records
> in the
> > first place.
> 
> What happens depends on the browser and the proxy port:
> 
> 1. For forward proxies: Some browsers will not do DNS lookups. They will
> send a CONNECT request to example.com , allowing
> Squid to do the DNS
> lookup. In this case, Squid dstdomain configured with a host name will
> work well.
> 
> 2. For forward proxies: Some browsers do DNS lookups. They will send a
> CONNECT request to one of the returned IP addresses.
> 
> 3. For interception proxies: All browsers do DNS lookups. They open a
> TCP connection to one of the returned IP addresses.
> 
> In cases 2 and 3, Squid dstdomain will have to do a reverse DNS lookup
> (PTR query). In many cases, that lookup either fails or returns a
> different domain name than the domain the browser started with.
> 
> 
> HTH,
> 
> Alex.
> 
> 
> > So we would have the IP already, and the hostname that was
> > looked up already in the DNS cache, right? Why wouldn't squid just be
> > able to reach in there, match the IP that DNS returned, and then pull
> > that hostname out to compare against the ACLs?
> >
> > On Thu, Feb 25, 2021 at 2:57 PM Alex Rousskov
> >  
> >  >> wrote:
> >
> >     On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote:
> >
> >     > I have thus far used dstdomain acl for bypassing ssl bump on
> sites
> >     that
> >     > we don't want to decrypt, like banking sites. It seems to
> work for
> >     some
> >     > sites, but not for others.
> >
> >     Yes, many HTTPS transactions do not expose destination domain
> until it
> >     is too late to decide whether to bump them, and reverse DNS
> lookups are
> >     often unreliable.
> >
> >
> >     

Re: [squid-users] Squid ACL for bypassing ssl-bump

[Justin Michael Schwartzbeck]

Thanks for your answers Alex.

For case 1, I understand that should not be a problem, since squid is the
one asking for DNS resolution.
For case 2 and 3, what you are saying is that the browser is requesting the
DNS lookup first, correct? Hence the need for a reverse DNS from squid,
since squid does not know at that point what domain the IP belongs to. But
they still had to query the DNS server, so that entry is in that DNS cache,
and it should have the same domain as the lookup that the user entered.

So if I have a local dns (maybe dnsmasq) that both squid and the user use,
from what I understand I should be able to use squid's dns_nameservers
directive to point to that DNS, and it should return fine since it is
stored right there in the cache.

If the user is trying to use a different DNS server other than the local
one, then fine, I will just decrypt their traffic as punishment. 

On Fri, Feb 26, 2021 at 9:44 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:

> On 2/26/21 7:35 AM, Justin Michael Schwartzbeck wrote:
> >> Yes, many HTTPS transactions do not expose destination domain until it
> >> is too late to decide whether to bump them, and reverse DNS lookups are
> >> often unreliable.
>
> > I wonder why this would be.
>
> I suspect you assume that a forward DNS lookup (A or  query) answer
> is always the "opposite" of a reverse DSN lookup (PTR query) answer.
> AFAIK, that is not how DNS is defined. From DNS point of view, each of
> those answers is totally independent -- there is no 1:1 or even 1:N
> mapping between them; the answers even come from different DNS zones!  A
> caching DNS resolver would probably violate the DNS protocol if it uses
> a cached A or  record to answer a PTR query. Disclaimer: I am not a
> DNS expert.
>
>
> > From my understanding, when you open a
> > browser and browse to www.google.com, the very
> > first thing that happens is you do a DNS resolution so that you know
> > what IP to send the CONNECT request and subsequent HTTPS records in the
> > first place.
>
> What happens depends on the browser and the proxy port:
>
> 1. For forward proxies: Some browsers will not do DNS lookups. They will
> send a CONNECT request to example.com, allowing Squid to do the DNS
> lookup. In this case, Squid dstdomain configured with a host name will
> work well.
>
> 2. For forward proxies: Some browsers do DNS lookups. They will send a
> CONNECT request to one of the returned IP addresses.
>
> 3. For interception proxies: All browsers do DNS lookups. They open a
> TCP connection to one of the returned IP addresses.
>
> In cases 2 and 3, Squid dstdomain will have to do a reverse DNS lookup
> (PTR query). In many cases, that lookup either fails or returns a
> different domain name than the domain the browser started with.
>
>
> HTH,
>
> Alex.
>
>
> > So we would have the IP already, and the hostname that was
> > looked up already in the DNS cache, right? Why wouldn't squid just be
> > able to reach in there, match the IP that DNS returned, and then pull
> > that hostname out to compare against the ACLs?
> >
> > On Thu, Feb 25, 2021 at 2:57 PM Alex Rousskov
> >  > > wrote:
> >
> > On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote:
> >
> > > I have thus far used dstdomain acl for bypassing ssl bump on sites
> > that
> > > we don't want to decrypt, like banking sites. It seems to work for
> > some
> > > sites, but not for others.
> >
> > Yes, many HTTPS transactions do not expose destination domain until
> it
> > is too late to decide whether to bump them, and reverse DNS lookups
> are
> > often unreliable.
> >
> >
> > > I was thinking about this, and it seems to me that if we are using
> the
> > > squid proxy with a dns server, we should be able to check the dns
> > cache
> > > for that IP, and find the associated hostname, and then match
> > against that.
> >
> > When you use dstdomain, Squid will do a (reverse) DNS query for you
> as
> > necessary (including DNS cache lookups) unless you specify a -n
> option
> > that is documented to disable all such operations.
> >
> >
> > In many cases, you should be using ssl::server_name instead of
> dstdomain
> > or dst ACL, but you may have to use a combination of various ACLs to
> > cover all the cases you care about.
> >
> >
> > HTH,
> >
> > Alex.
> >
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ACL for bypassing ssl-bump

[Alex Rousskov]

On 2/26/21 7:35 AM, Justin Michael Schwartzbeck wrote:
>> Yes, many HTTPS transactions do not expose destination domain until it
>> is too late to decide whether to bump them, and reverse DNS lookups are
>> often unreliable.

> I wonder why this would be. 

I suspect you assume that a forward DNS lookup (A or  query) answer
is always the "opposite" of a reverse DSN lookup (PTR query) answer.
AFAIK, that is not how DNS is defined. From DNS point of view, each of
those answers is totally independent -- there is no 1:1 or even 1:N
mapping between them; the answers even come from different DNS zones!  A
caching DNS resolver would probably violate the DNS protocol if it uses
a cached A or  record to answer a PTR query. Disclaimer: I am not a
DNS expert.


> From my understanding, when you open a
> browser and browse to www.google.com, the very
> first thing that happens is you do a DNS resolution so that you know
> what IP to send the CONNECT request and subsequent HTTPS records in the
> first place.

What happens depends on the browser and the proxy port:

1. For forward proxies: Some browsers will not do DNS lookups. They will
send a CONNECT request to example.com, allowing Squid to do the DNS
lookup. In this case, Squid dstdomain configured with a host name will
work well.

2. For forward proxies: Some browsers do DNS lookups. They will send a
CONNECT request to one of the returned IP addresses.

3. For interception proxies: All browsers do DNS lookups. They open a
TCP connection to one of the returned IP addresses.

In cases 2 and 3, Squid dstdomain will have to do a reverse DNS lookup
(PTR query). In many cases, that lookup either fails or returns a
different domain name than the domain the browser started with.


HTH,

Alex.


> So we would have the IP already, and the hostname that was
> looked up already in the DNS cache, right? Why wouldn't squid just be
> able to reach in there, match the IP that DNS returned, and then pull
> that hostname out to compare against the ACLs?
> 
> On Thu, Feb 25, 2021 at 2:57 PM Alex Rousskov
>  > wrote:
> 
> On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote:
> 
> > I have thus far used dstdomain acl for bypassing ssl bump on sites
> that
> > we don't want to decrypt, like banking sites. It seems to work for
> some
> > sites, but not for others.
> 
> Yes, many HTTPS transactions do not expose destination domain until it
> is too late to decide whether to bump them, and reverse DNS lookups are
> often unreliable.
> 
> 
> > I was thinking about this, and it seems to me that if we are using the
> > squid proxy with a dns server, we should be able to check the dns
> cache
> > for that IP, and find the associated hostname, and then match
> against that.
> 
> When you use dstdomain, Squid will do a (reverse) DNS query for you as
> necessary (including DNS cache lookups) unless you specify a -n option
> that is documented to disable all such operations.
> 
> 
> In many cases, you should be using ssl::server_name instead of dstdomain
> or dst ACL, but you may have to use a combination of various ACLs to
> cover all the cases you care about.
> 
> 
> HTH,
> 
> Alex.
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ACL for bypassing ssl-bump

[Alex Rousskov]

On 2/25/21 2:07 PM, Justin Michael Schwartzbeck wrote:

> I have thus far used dstdomain acl for bypassing ssl bump on sites that
> we don't want to decrypt, like banking sites. It seems to work for some
> sites, but not for others.

Yes, many HTTPS transactions do not expose destination domain until it
is too late to decide whether to bump them, and reverse DNS lookups are
often unreliable.


> I was thinking about this, and it seems to me that if we are using the
> squid proxy with a dns server, we should be able to check the dns cache
> for that IP, and find the associated hostname, and then match against that.

When you use dstdomain, Squid will do a (reverse) DNS query for you as
necessary (including DNS cache lookups) unless you specify a -n option
that is documented to disable all such operations.


In many cases, you should be using ssl::server_name instead of dstdomain
or dst ACL, but you may have to use a combination of various ACLs to
cover all the cases you care about.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ACL, SSL-BUMP and authentication questions

[squid]

Hi Amos,

The configuration I post last time still cannot accomplish the tasks. So, you 
mean the CONNECT ACL and must pair with normal GET command ACL to be 
evaluated by squid ? 

Best,
Kelvin Yip

-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Friday, November 07, 2014 4:29 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid ACL, SSL-BUMP and authentication questions

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 7/11/2014 8:35 p.m., squid-list wrote:
 Hi, * **Access to google maps(https://www.google.com/maps) should 
 prevent any authentication need*
 
 I could understand that all users should be able to access the google 
 maps link without any authentication. For this you could add the site 
 acl before the authentication part in the squid conf. So that users 
 will not prompt for the authentication when the user try to access the 
 google map site. But when they try to access any other site 
 authentication will be prompted.

This cannot be done.

You can authenticate the user setting up a CONNECT tunnel, OR you can bypass 
authentication for them.

That authentication choice applies equally all requests sent over the tunnel. 
Whether they are for maps or for any other Google service. And it must be made 
*before* the tunnel is setup. Thus *before* the URL inside the tunnel becomes 
known.


Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUXIKwAAoJELJo5wb/XPRjMoMH/2yCMjxisbxWBAYnp+96908O
W46taJk7kqwUbtv76aOsSEcPpc3cBl4E+nFv7cQofRqgobcR2wTsJtgRupjuIgSb
SYPQKqJolbs/7wF5nhxbggewSfRU7B21aULKStkXV7BUWNlUIaV1vUsv+J1JV8OP
U/HkcVeXny1khCjF9nEKeXNUpOioUQ0LpPboAOrLnfZZfY098NkGubJF04/stUCQ
QXIErZ8cwX7yJ1x+yIwlVw4KVbtGaBJ8dd8PH4q3DknzAVxfJ0LZgYJC3nKTQMZ3
vUTMV33Rf94Y9x/yNrs6AVWcR3rLl08GkpFv3owqItkHa1hi7yFCuEg5e3bOFFA=
=AMi0
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ACL, SSL-BUMP and authentication questions

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 7/11/2014 11:04 p.m., sq...@icshk.com wrote:
 Hi Amos,
 
 The configuration I post last time still cannot accomplish the
 tasks.

I said the task was not possible.

You are trying to decide whether to authenticate, based on details
that will not be known until authentication has finished.


I recommend you just authenticate and be done with it.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUXKRlAAoJELJo5wb/XPRjElEH/1N96B09dmvqHZjxi0b/7doo
EXu8f+t11lckpmc3Y+iE8QCzFacrJe2osv/SSPH+Z4vXU351kKRUxA/fXkcWmtvt
A1eW+NVOVViS5uYXgfpR1w/8JvL/FgO4axuBbgPg3x/LQlk0eI5QMVFYjdkzBleL
x2rqHGkccdspmNm40Msok0snuAR3zmn0em0tFLjjR4peIOY/UPPuO9pt7YDOvsz/
vZCjxZ5A+sffU8ZDnKeJ1DIxXb+gk8N0W0YPEkBRYQjEuhNiF1z1J8Mu8z+GFJ+c
8ROzeI++XVOkndK3hiVCPXLFfkhgj5bRmutJb0kBltCiPidv/N0raxNSm2Y4Aqw=
=q7Dd
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid acl soap request method

[Amos Jeffries]

On 15/10/2013 3:48 p.m., James Shirley wrote:

Hi!

I'm trying to configure a squid acl to control what soap requests are
allowed to a backend web server..

Only I cannot see a configuration parameter directly specific to SOAP
(or XML) protocol. Or even a way to integrate the POST message content
in a helper application..


That is because the message and the message content are two _very_ 
separate things.


The messages being HTTP protocol and message content being the SOAP/XML 
stuff.


Squid only operates on the HTTP protocol. The content of messages is 
outside of Squid scope of operations and treated as opaque data.
Manipulation or control based on message content is called content 
filtering and is performed by ICAP services and/or eCAP plugins for Squid.


NP: I'm not yet aware of any plugins/services that manipulate SOAP/XML 
data. Given that it is XML it should be relatively easy to create your 
own content filter that meets your needs.



I have looked into validating SOAPAction HTTP header, however this is
an optional header which not all SOAP clients use..


For controlling it in Squid that is probably the best way. Unless you 
can find a better way to identify SOAP from just the HTTP headers 
(Content-Type perhapse?).


Amos

Re: [squid-users] Squid acl port

[Amos Jeffries]

On Wed, 30 Sep 2009 09:46:04 +0800, wangwen wangw...@126.com wrote:
 Hi All.
 
 I have my question about the use of “acl port ” in squid.conf.
 
 Generally the proxy has the following three cases:
 
 1. Standard proxy cache server: In order to realize this approach, We
must
 indicate the Ip and port of proxy server in the browser of everyone
 internal
 host.
 
 2. Transparent proxy cache server: The transparent cache intercepts
network
 traffic, filters HTTP traffic (on port 80), and handles the request if
the
 item is in the cache.
 
 3. Reverse proxy cache server: It usually listen in 80 port to accept
 client
 request. When guests accessing proxy server, they will just feel like 
 visiting backend server.User can't feel backend server here.
 
 
 In the first case: Entering “IP:port” in the browser we can access any
 website. According to IP address and port in the browser, Proxy server
 control user access. In this case we can use “acl port” in squid.conf to
 control access.
 
 In the second case: Entering “IP:port” in the browser we can access any
 website. But the request URL which not include port 80 will not be sent
to
 proxy server. I think that “acl port” is useless In this case.
 
 In the third case: Entering “IP of reverse proxy server:port” in the
 browser we can access backend server. I think that “acl port” is useless
 In this case.
 
 From what we analyzed before，”acl port” only takes effect in the first
 case, or is it? If it is not, Can anybody give me some example using “acl
 port” in another cases?
 
 Thank you.

When referring to the receiving http_port in squid prefer the myportname
feature. All other port ACL types are unreliable in some modes.

ACL type port - refers to the client destination port when on normal
proxy mode. Reverse proxy mode this is the client destination port
(provided NAT and load balancers have not been involved anywhere down the
chain) which should usually be 80, but may be some other squid receiving
accel port if used by web apps or altered by intermediate devices/software.

ACL type myport - refers to squid receiving port. Reverse proxy mode
expect this to be identical to the above (aka client destination port) when
in reverse proxy mode. Usable in forward and reverse proxy mode for
non-standard or multiple proxy listening ports.

NOTE: _neither_ of these above methods works reliably in transparent mode.
The IP:port for both squid and the client and the client destination are
volatile based on system NAT capabilities. OR if they are reliably set
should always be 80. Every install combo with operating system, firewall,
NAT engine and Squid version needs to be tested to see what the ACL
matches. TPROXY interception also faces the same problems with even weirder
behavior, setting myport to the client source port which should be
completely random and unusable.

ACL type myportname - refers to the squid receiving port by explicit name
in all modes.

Amos

Re: [squid-users] Squid acl port

[wangwen]

I got it,Thanks for your replies.


- Original Message - 
From: Amos Jeffries squ...@treenet.co.nz

To: wangwen wangw...@126.com
Cc: squid-users@squid-cache.org
Sent: Wednesday, September 30, 2009 10:29 AM
Subject: Re: [squid-users] Squid acl port



On Wed, 30 Sep 2009 09:46:04 +0800, wangwen wangw...@126.com wrote:

Hi All.

I have my question about the use of “acl port ” in squid.conf.

Generally the proxy has the following three cases:

1. Standard proxy cache server: In order to realize this approach, We

must

indicate the Ip and port of proxy server in the browser of everyone
internal
host.

2. Transparent proxy cache server: The transparent cache intercepts

network

traffic, filters HTTP traffic (on port 80), and handles the request if

the

item is in the cache.

3. Reverse proxy cache server: It usually listen in 80 port to accept
client
request. When guests accessing proxy server, they will just feel like
visiting backend server.User can't feel backend server here.


In the first case: Entering “IP:port” in the browser we can access any
website. According to IP address and port in the browser, Proxy server
control user access. In this case we can use “acl port” in squid.conf 
to

control access.

In the second case: Entering “IP:port” in the browser we can access any
website. But the request URL which not include port 80 will not be sent

to

proxy server. I think that “acl port” is useless In this case.

In the third case: Entering “IP of reverse proxy server:port” in the
browser we can access backend server. I think that “acl port” is 
useless

In this case.

From what we analyzed before，”acl port” only takes effect in the first
case, or is it? If it is not, Can anybody give me some example using 
“acl

port” in another cases?

Thank you.


When referring to the receiving http_port in squid prefer the myportname
feature. All other port ACL types are unreliable in some modes.

ACL type port - refers to the client destination port when on normal
proxy mode. Reverse proxy mode this is the client destination port
(provided NAT and load balancers have not been involved anywhere down the
chain) which should usually be 80, but may be some other squid receiving
accel port if used by web apps or altered by intermediate 
devices/software.


ACL type myport - refers to squid receiving port. Reverse proxy mode
expect this to be identical to the above (aka client destination port) 
when

in reverse proxy mode. Usable in forward and reverse proxy mode for
non-standard or multiple proxy listening ports.

NOTE: _neither_ of these above methods works reliably in transparent mode.
The IP:port for both squid and the client and the client destination are
volatile based on system NAT capabilities. OR if they are reliably set
should always be 80. Every install combo with operating system, firewall,
NAT engine and Squid version needs to be tested to see what the ACL
matches. TPROXY interception also faces the same problems with even 
weirder

behavior, setting myport to the client source port which should be
completely random and unusable.

ACL type myportname - refers to the squid receiving port by explicit 
name

in all modes.

Amos

Re: [squid-users] Squid ACL, allow url?

[Amos Jeffries]

CopyrightPhilly wrote:

hi,

iv been trying for hours to try and get this to work,

basicly this is what i am wanting to do,

Deny if requested is not on allowed port
Allow local users accounts (got this working)
Allow if the requested url is *.mydomain.com
Deny if no the above

below what im using, - all the fully working...

can anyone tell me what im doing wrong?

thanks

acl LocalServer url_regex -i *.mydomain.com


acl LocalServer dstdomain .mydomain.com


acl all src all

http_access deny !Safe_ports
http_access allow LocalUsers
http_access allow LocalServer
http_access deny all


If thats not working, there is something elsewhere going wrong.

What version of squid are you using?

What type of errors are you seeing?

Is Safe_ports defined properly?

Is this trying to be an accelerator, or just a forward proxy with 
internal sites always allowed?



Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5

RE: [squid-users] Squid ACL Problem

[Heaton, Tobias]

The 'microsoft' ACLS are working fine - 'macintosh' is not:

acl microsoft dstdomain .microsoft.com
acl macintosh dstdomain .apple.com
acl all src 0.0.0.0/0.0.0.0

http_access allow microsoft
http_access allow macintosh
http_access deny all

-Original Message-
From: Tek Bahadur Limbu [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 02, 2007 9:25 AM
To: Heaton, Tobias
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid ACL Problem

Heaton, Tobias wrote:
 Hello - I hope I'm writing to the correct place!
 
 I have Squid running on RHAS4 and it has been running perfectly for
some
 time. I added some new ACLs and http_access protocols mirroring
exactly
 what existed. I then reconfigured the squid client and even restarted
 the machine itself, and I absolutely cannot get the ACLs to work!
There
 is no information appearing in the access.log or cache.log - I can't
 find any trace of a machine even hitting those sites.

Hi Heaton,

Without seeing those ACLs you added, it will be very hard and difficult 
for us to diagnose your problem.


 
 Any help would be greatly appreciated!!!
 
 
 


-- 

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np

Re: [squid-users] Squid ACL Problem

[Tek Bahadur Limbu]

Heaton, Tobias wrote:

Hello - I hope I'm writing to the correct place!

I have Squid running on RHAS4 and it has been running perfectly for some
time. I added some new ACLs and http_access protocols mirroring exactly
what existed. I then reconfigured the squid client and even restarted
the machine itself, and I absolutely cannot get the ACLs to work! There
is no information appearing in the access.log or cache.log - I can't
find any trace of a machine even hitting those sites.


Hi Heaton,

Without seeing those ACLs you added, it will be very hard and difficult 
for us to diagnose your problem.





Any help would be greatly appreciated!!!






--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np

RE: [squid-users] Squid ACL Problem

[Heaton, Tobias]

No log entries are appearing from a network machine on the same subnet. The 
only way I can generate an access.log entry is running the squidclient app w/ 
the URL:

squidclient http://www.apple.com

access.log:

247 127.0.0.1 TCP_MISS/200 10226 GET http://www.apple.com - 
DIRECT/17.149.160.10 text/html

It displays the page correctly in the command shell which tells me the ACL is 
working, at least from localhost. I cannot get anything across the network.

-Original Message-
From: Leonardo Rodrigues Magalhães [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 02, 2007 10:01 AM
To: Heaton, Tobias
Cc: Squid Users
Subject: Re: [squid-users] Squid ACL Problem


Post your DENIED log entries in access.log.

Most probably apple.com site is using other domains different than 
apple.com. So, despite apple.com is allowed, those others are denied and 
the page cannot be accessed.

Post your DENIED logs please.


Heaton, Tobias escreveu:
 The 'microsoft' ACLS are working fine - 'macintosh' is not:

 acl microsoft dstdomain .microsoft.com
 acl macintosh dstdomain .apple.com
 acl all src 0.0.0.0/0.0.0.0

 http_access allow microsoft
 http_access allow macintosh
 http_access deny all
   

-- 


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
[EMAIL PROTECTED]
My SPAMTRAP, do not email it

Re: [squid-users] Squid ACL Problem

[Leonardo Rodrigues Magalhães]

   Post your DENIED log entries in access.log.

   Most probably apple.com site is using other domains different than 
apple.com. So, despite apple.com is allowed, those others are denied and 
the page cannot be accessed.


   Post your DENIED logs please.


Heaton, Tobias escreveu:

The 'microsoft' ACLS are working fine - 'macintosh' is not:

acl microsoft dstdomain .microsoft.com
acl macintosh dstdomain .apple.com
acl all src 0.0.0.0/0.0.0.0

http_access allow microsoft
http_access allow macintosh
http_access deny all
  


--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
[EMAIL PROTECTED]
My SPAMTRAP, do not email it






smime.p7s
Description: S/MIME Cryptographic Signature

Re: [squid-users] Squid ACL Problem

[Leonardo Rodrigues Magalhães]

Heaton, Tobias escreveu:

No log entries are appearing from a network machine on the same subnet. The 
only way I can generate an access.log entry is running the squidclient app w/ 
the URL:

squidclient http://www.apple.com

access.log:

247 127.0.0.1 TCP_MISS/200 10226 GET http://www.apple.com - 
DIRECT/17.149.160.10 text/html

It displays the page correctly in the command shell which tells me the ACL is 
working, at least from localhost. I cannot get anything across the network.


   squidclient will retrieve only the exact supplied URL, it's far from 
meaning that page would show. As I told, the page can reference other 
addresses and those different addresses can be blocked by your ACLs.


   If you're gettinng NOTHING from the network clients, then ACLs 
probably are NOT your problem. If the problem were ACLs, your clients 
would be getting 'ACCESS DENIED' page, supplied by squid, and TCP_DENIED 
logged on access.log. If nothing appears on the logs, then the requests 
are probably not even reaching your squid.


   Are the browsers manually configured to access through squid or the 
requests are being captured by transparent proxy ? If they are 
transparent, maybe your transparent rules arent working as expected.




--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
[EMAIL PROTECTED]
My SPAMTRAP, do not email it






smime.p7s
Description: S/MIME Cryptographic Signature

RE: [squid-users] Squid ACL Problem

[Heaton, Tobias]

It was a DNS zone problem that I've resolved. Thanks for all your help!

-Original Message-
From: Leonardo Rodrigues Magalhães [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 02, 2007 12:12 PM
To: Heaton, Tobias
Cc: Squid Users
Subject: Re: [squid-users] Squid ACL Problem



Heaton, Tobias escreveu:
 No log entries are appearing from a network machine on the same subnet. The 
 only way I can generate an access.log entry is running the squidclient app w/ 
 the URL:

 squidclient http://www.apple.com

 access.log:

 247 127.0.0.1 TCP_MISS/200 10226 GET http://www.apple.com - 
 DIRECT/17.149.160.10 text/html

 It displays the page correctly in the command shell which tells me the ACL is 
 working, at least from localhost. I cannot get anything across the network.

squidclient will retrieve only the exact supplied URL, it's far from 
meaning that page would show. As I told, the page can reference other 
addresses and those different addresses can be blocked by your ACLs.

If you're gettinng NOTHING from the network clients, then ACLs 
probably are NOT your problem. If the problem were ACLs, your clients 
would be getting 'ACCESS DENIED' page, supplied by squid, and TCP_DENIED 
logged on access.log. If nothing appears on the logs, then the requests 
are probably not even reaching your squid.

Are the browsers manually configured to access through squid or the 
requests are being captured by transparent proxy ? If they are 
transparent, maybe your transparent rules arent working as expected.



-- 


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
[EMAIL PROTECTED]
My SPAMTRAP, do not email it

RE: [squid-users] Squid ACL

[Mark Barlow]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 06 July 2007 00:22
To: Christian Vallant
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid ACL

 Hello,

 i need to solve following problem.
 I have an ldap-server, which i use to authenticate the user.
 If the user is in the group, he has access to the group A. If the
 authentications fails, he has access to the group B.

 Can anyone tell me, how i can solve this problem.

 I have already have an authentication, but the problem is, that if the
 user tries to authenticate, but he has no rights, the
 authentication-window
 comes again and again. But the user has to be in the group
 to_domains_without_auth and the other domains should be blocked.

 So, the relevant code looks like:

 auth_param basic program /etc/squid/ldapauth.pl
 acl for_inetusers proxy_auth REQUIRED

 acl to_domains_without_auth dstdomain
 /var/ipcop/proxy/advanced/acls/dst_noauth
  .acl


 Can anyone help me?


Check the order of http_access * lines in your squid.conf.
They are processed in order, and for_inetusers needs to be preceeded by
any ACL that allow people through without Auth.

For example:

http_access allow anybody_without_auth
http_access allow for_inetusers
http_access deny all

Amos

Remember for rules to work effectively, at least one of them has to be true.
I suspect this is why your authentication window keeps popping up. For
example if someone isn't in the inetusers group, the result of the line
http_access allow for_inetusers will be false and it will move on to the
next line.  You need the users to match a deny rule to stop the request
being processed and output a squid error page to the user.  The deny all
rule should suffice.

Hope this makes sense.

Re: [squid-users] Squid ACL

[squid3]

 Hello,

 i need to solve following problem.
 I have an ldap-server, which i use to authenticate the user.
 If the user is in the group, he has access to the group A. If the
 authentications fails, he has access to the group B.

 Can anyone tell me, how i can solve this problem.

 I have already have an authentication, but the problem is, that if the
 user tries to authenticate, but he has no rights, the
 authentication-window
 comes again and again. But the user has to be in the group
 to_domains_without_auth and the other domains should be blocked.

 So, the relevant code looks like:

 auth_param basic program /etc/squid/ldapauth.pl
 acl for_inetusers proxy_auth REQUIRED

 acl to_domains_without_auth dstdomain
 /var/ipcop/proxy/advanced/acls/dst_noauth
  .acl


 Can anyone help me?


Check the order of http_access * lines in your squid.conf.
They are processed in order, and for_inetusers needs to be preceeded by
any ACL that allow people through without Auth.

For example:

http_access allow anybody_without_auth
http_access allow for_inetusers
http_access deny all

Amos

Re: [squid-users] Squid ACL settings

[Chris Robertson]

[EMAIL PROTECTED] wrote:

Hello,

I would like to setup squid this way. 
All client from internal network(172.16.0.0) could reach external server 
15.14.13.12 on all port.

Many thanks.
  

acl clients src 172.16.0.0/16
acl server dst 15.14.13.12
http_access allow clients server

Proper placement in the squid.conf is left as an exercise for the 
reader.  Also, be aware that Squid is STRICTLY an HTTP proxy (with a 
dash of FTP).


Chris

RE: [squid-users] Squid ACL (Is this Possible)

[Mehmet, Levent \(Accenture\)]

 Hi

This config u have suggested we use may not be able to support what we
like:

How would this access-list cope with a website like this:

http://nww.nhsmessaging.co.uk/ or 

www.nhs.uk - this should go direct but 

nww.nhs.uk needs to go to peer

acl NWW dstdom_regex \.?nww\.
acl NHS dstdomain .nhs.uk
cache_peer_access 3.3.3.3 allow NHS
cache_peer_access 3.3.3.3 allow NWW
never_direct allow NWW

-Original Message-
From: Chris Robertson [mailto:[EMAIL PROTECTED] 
Sent: 19 September 2006 19:56
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid ACL (Is this Possible)

Mehmet, Levent (Accenture) wrote:
  All

 I currently have a setup which sends different domains to different 
 Cache_peers. This has been working fine with the below config.:

 cache_peer 1.1.1.1 parent 80 80 no-query cache_peer 2.2.2.2 parent 80 
 80 no-query cache_peer 3.3.3.3 parent 3128 3130 no-query

 cache_peer_domain 3.3.3.3 parent  nww. .nhs.uk
   
Hmmm...  I don't think that text followed by a dot is valid syntax for
cache_peer_domain or dstdomain.  I'd advise making a dstdom_regex acl
and using cache_peer_access for this peer.  Something like...

acl NWW dstdom_regex \.?nww\.
acl NHS dstdomain .nhs.uk
cache_peer_access 3.3.3.3 allow NHS
cache_peer_access 3.3.3.3 allow NWW
never_direct allow NWW

...in addition to the other rules you have listed.
 cache_peer_domain 1.1.1.1 parent .gsi.gov.uk cache_peer_domain 2.2.2.2

 parent .gsi.gov.uk

 acl NHS dstdomain  nww. .nhs.uk
   
Obviously, this ACL should be adjusted as shown above.
 acl GSI dstdomain .gsi.gov.uk

 cache_peer_access 3.3.3.3 allow NHS
 cache_peer_access 1.1.1.1 allow GSI

 never_direct allow NHS
 never_direct allow GSI


 When trying to access http://nww.nhs.uk this goes via the correct path

 of 3.3.3.3, but our clients now wish to access the following websites,

 which cause a conflict: http://nww.nhsmessaging.co.uk/ Web sites like 
 this cause me a issue because of the .co.uk which tries to go direct 
 and nww tries to go via 3.3.3.3, also with 
 http://www.pasa.nhs.uk/cat_default.asp www. Go direct and the nhs.uk 
 tries to go via 3.3.3.3. This is a major show stopper for the company.
 Is there a way around this as we need to send all nww down 3.3.3.3

 Thanks
  

 Levent Mehmet
 Network Analyst
 Server and Network Team
 [EMAIL PROTECTED] Operate Unit
 Market Towers, 20th Floor
 1 Nine Elms Lane
 London
 SW8 5NQ

 E-mail: [EMAIL PROTECTED]
 Phone: +44 20 7084 3517 
 Fax:   +44 20 7084 2536 
   
Chris

PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.
On entering the GSI, this email was scanned for viruses by the
Government Secure Intranet (GSi) virus scanning service supplied
exclusively by Cable  Wireless in partnership with MessageLabs.
In case of problems, please call your organisational IT Helpdesk.
The MessageLabs Anti Virus Service is the first managed service to
achieve the CSIA Claims Tested Mark (CCTM Certificate Number
2006/04/0007), the UK Government quality mark initiative for information
security products and services.  For more information about this please
visit www.cctmark.gov.uk



This email and any files transmitted with it are confidential. If you are not 
the intended recipient, any reading, printing, storage, disclosure, copying or 
any other action taken in respect of this email is prohibited and may be 
unlawful. 

If you are not the intended recipient, please notify the sender immediately by 
using the reply function and then permanently delete what you have 
received.Incoming and outgoing email messages are routinely monitored for 
compliance with the Department of Healths policy on the use of electronic 
communications. 

For more information on the Department of Healths email policy, click 
http;//www.doh.gov.uk/emaildisclaimer.htm

The original of this email was scanned for viruses by Government Secure 
Intranet (GSi)  virus scanning service supplied exclusively by Cable  Wireless 
in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve the 
CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK 
Government quality mark initiative for information security products and 
services.  For more information about this please visit www.cctmark.gov.uk

RE: [squid-users] Squid ACL (Is this Possible)

[Henrik Nordstrom]

ons 2006-09-20 klockan 11:28 +0100 skrev Mehmet, Levent (Accenture):
 Thanks
 
 Please can you explain what this line means with its characters:
 
  acl NWW dstdom_regex \.?nww\.


maybe a dot followed by nww followed by a dot, anywhere in the hostname
component of the requested URL.

Probably this is not was wat intended as maybe a dot is always true..
even in somethingnnw.example.com. I think the indended pattern more
likely is

  (^|\.)nww\.

which matches hostnames beginning with nww. or having .nww. anywhere in
their name.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] Squid ACL (Is this Possible)

[Chris Robertson]

Mehmet, Levent (Accenture) wrote:

 All

I currently have a setup which sends different domains to different
Cache_peers. This has been working fine with the below config.:

cache_peer 1.1.1.1 parent 80 80 no-query
cache_peer 2.2.2.2 parent 80 80 no-query
cache_peer 3.3.3.3 parent 3128 3130 no-query

cache_peer_domain 3.3.3.3 parent  nww. .nhs.uk
  
Hmmm...  I don't think that text followed by a dot is valid syntax for 
cache_peer_domain or dstdomain.  I'd advise making a dstdom_regex acl 
and using cache_peer_access for this peer.  Something like...


acl NWW dstdom_regex \.?nww\.
acl NHS dstdomain .nhs.uk
cache_peer_access 3.3.3.3 allow NHS
cache_peer_access 3.3.3.3 allow NWW
never_direct allow NWW

...in addition to the other rules you have listed.

cache_peer_domain 1.1.1.1 parent .gsi.gov.uk
cache_peer_domain 2.2.2.2 parent .gsi.gov.uk

acl NHS dstdomain  nww. .nhs.uk
  

Obviously, this ACL should be adjusted as shown above.

acl GSI dstdomain .gsi.gov.uk

cache_peer_access 3.3.3.3 allow NHS
cache_peer_access 1.1.1.1 allow GSI

never_direct allow NHS
never_direct allow GSI


When trying to access http://nww.nhs.uk this goes via the correct path
of 3.3.3.3, but our clients now wish to access the following websites,
which cause a conflict: http://nww.nhsmessaging.co.uk/ Web sites like
this cause me a issue because of the .co.uk which tries to go direct and
nww tries to go via 3.3.3.3, also with
http://www.pasa.nhs.uk/cat_default.asp www. Go direct and the nhs.uk
tries to go via 3.3.3.3. This is a major show stopper for the company.
Is there a way around this as we need to send all nww down 3.3.3.3

Thanks
 

Levent Mehmet 
Network Analyst 
Server and Network Team 
[EMAIL PROTECTED] Operate Unit 
Market Towers, 20th Floor 
1 Nine Elms Lane 
London 
SW8 5NQ 

E-mail: [EMAIL PROTECTED] 
Phone: +44 20 7084 3517 
Fax:   +44 20 7084 2536 
  

Chris

Re: [squid-users] Squid acl containing hostnames issue

[Tino Reichardt]

* Jason Bassett [EMAIL PROTECTED] wrote:
 
 I am therefore looking for the easiest and most time effective method
 of blocking rooms when required.  Hostnames seemed to be the best way.
 
 Any ideas on this issue?

Restricting access an a per user Basis can also be done... just install
an ident daemon with your netlogon script and forbid / allow access,
based on them. Ident daemons are availably for most (all?) Openrating Systems...

I have written a redirector, were you can allow / disallow access to
users / hosts per webinterface on-the-fly ... maybe that's also an point
:)

See http://www.mcmilk.de/projects/squidwall/ for more information about
the redirector.


-- 
regards, TR

Re: [squid-users] Squid acl containing hostnames issue

[Chris Robertson]

Jason Bassett wrote:


Hello

I work in a secondary school with 5 IT suites each with 20-30 
computers.  I have created an acl for each room containing the 
hostnames of the machines for examle, an acl called R32 for room 32 
contains:


R32001
R32002
...
R32030

If I set this acl to deny, not all machines are denied access only a 
random group within the room.


I originally run a GNU/Linux dhcp server to allocate static IPs to all 
network machines and then created acl's based on the IP ranges of 
machines in each room.  This worked perfectly but now Research 
Machines who support us have demanded I remove the GNU/Linux dhcp 
server otherwise they will not support our installation.


I am therefore looking for the easiest and most time effective method 
of blocking rooms when required.  Hostnames seemed to be the best way.


Any ideas on this issue?

Thanks

Jason


How are IP addresses going to be supplied?  Static assignment?  Or is a 
Windows server going to be providing DHCP (Can you just have the Windows 
server supply the DHCP reservations)?


How is the network set up?  Could each room be set up on its own subnet 
(most gateways support DHCP pass through)?


An other alternative:

1. Assign your Squid server an IP address for each room (e.g. 
192.168.0.32, 192.168.0.33, etc).
2. Have each room use it's assigned IP for proxy (Room 32 uses 
192.168.0.32:3128 for proxy).

3. Use acl myip 192.168.0.32/32  to prevent access.

Chris

RE: [squid-users] squid acl dhcp

[Nick Duda]

If your on a domain (AD/NT) look at NTLM authentication. That in
combination with squidGuard (using net ads ldap searching) you can build
custom files of users for processing policies.

- Nick

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 7:15 AM
To: squid-users@squid-cache.org
Subject: [squid-users] squid acl dhcp


I  have a LAN with DHCP, and sometimes the ip addresses change, worse
still i have many subnets.
how should i structure my acl's to involve as little administration as
possible.

only a privileged few should access internet.

--
 Peter Collins Wasenda
 Network Administrator
 IT Division, Corporate Services   
 Uganda Revenue Authority 
 P.O. Box 7279, Kampala   

 Tel: (041)334474,334535  
 Mob: 0752-996477 
 

---
 


This message was sent using IMP, the Internet Messaging Program.



-
Confidentiality note
The information in this email and any attachment may contain confidential and 
proprietary information of
VistaPrint and/or its affiliates and may be privileged or otherwise protected 
from disclosure. If you are
not the intended recipient, you are hereby notified that any review, reliance 
or distribution by others
or forwarding without express permission is strictly prohibited and may cause 
liability. In case you have
received this message due to an error in transmission, please notify the sender 
immediately and to delete
this email and any attachment from your system.
-

Re: [squid-users] squid acl dhcp

[Henrik Nordstrom]

tis 2006-03-14 klockan 15:14 +0300 skrev [EMAIL PROTECTED]:
 I  have a LAN with DHCP, and sometimes the ip addresses change, worse 
 still i have many subnets. 
 how should i structure my acl's to involve as little administration as 
 possible.

Use authentication.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] squid acl dhcp

[Odhiambo WASHINGTON]

* On 14/03/06 15:14 +0300, [EMAIL PROTECTED] wrote:
| 
| I  have a LAN with DHCP, and sometimes the ip addresses change, worse 
| still i have many subnets. 
| how should i structure my acl's to involve as little administration as 
| possible.
| 
| only a privileged few should access internet.

Use an authentication scheme not based on IPs!


-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

Fights between cats and dogs are prohibited by statute in Barber, North
Carolina.

RE: [squid-users] squid acl dhcp

[Nick Duda]

We use NTLM Authentication here. The rules that you configure in
squid.conf for the most part will only allow or deny access to
authenticated users. In other words either everyone is allowed or
everyone is denied.

With squidGuard you can build an acl based on the option userlist.
Userlist points to a local file with a username on each line. You can
then allow/deny based on that list. What I do is using the samba net
ads/rpc tools, is run a query against the domain controller for certain
criteria and build a local list of items.

For example, say I want everyone in the company to be denied access to a
certain website, except members of the HR department. I would run a
query against the domain controller for all members in the HR group and
build a local file with these names. I then schedule that as a cronjob
to run every so often to keep this list up to date. Now I can create a
rule that allows only people from HR (located in the local HREmployee
file) access to this website.

There are other cool things you can do with the net ads/rpc stuff. My
squidGuard redirector urls go to a local php script. This script runs
the (exec) command and gives me back results. I've been able to have
squidGuard email offenders dynamically when they hit websites they
shouldn't have.

- Nick

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 7:24 AM
To: Nick Duda
Subject: RE: [squid-users] squid acl dhcp

thanks for your timely answer, however i don't seem to understand this
part of
your message, could you kindly elaborate

using net ads ldap searching) you can build custom files of users for
processing policies


Quoting Nick Duda [EMAIL PROTECTED]:


 If your on a domain (AD/NT) look at NTLM authentication. That in
 combination with squidGuard (using net ads ldap searching) you can
build
 custom files of users for processing policies.

 - Nick

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]

 Sent: Tuesday, March 14, 2006 7:15 AM
 To: squid-users@squid-cache.org
 Subject: [squid-users] squid acl dhcp


 I  have a LAN with DHCP, and sometimes the ip addresses change, worse

 still i have many subnets.

 how should i structure my acl's to involve as little administration as

 possible.

 only a privileged few should access internet.

 --

  Peter Collins Wasenda   

  Network Administrator   

  IT Division, Corporate Services  

  Uganda Revenue Authority

  P.O. Box 7279, Kampala  


  Tel: (041)334474,334535 

  Mob: 0752-996477

 


 ---
 


 
 This message was sent using IMP, the Internet Messaging Program.



 -
 Confidentiality note
 The information in this email and any attachment may contain
confidential and
 proprietary information of

 VistaPrint and/or its affiliates and may be privileged or otherwise
protected
 from disclosure. If you are

 not the intended recipient, you are hereby notified that any review,
reliance
 or distribution by others

 or forwarding without express permission is strictly prohibited and
may cause
 liability. In case you have

 received this message due to an error in transmission, please notify
the
 sender immediately and to delete

 this email and any attachment from your system.
 -




--
 Peter Collins Wasenda
 Network Administrator
 IT Division, Corporate Services   
 Uganda Revenue Authority 
 P.O. Box 7279, Kampala   

 Tel: (041)334474,334535  
 Mob: 0752-996477 
 Mail:[EMAIL PROTECTED]

---
 


This message was sent using IMP, the Internet Messaging Program.



-
Confidentiality note
The information in this email and any attachment may contain confidential and 
proprietary information of
VistaPrint and/or its affiliates and may be privileged or otherwise protected 
from disclosure. If you are
not the intended recipient, you are hereby notified that any review, reliance 
or distribution by others
or forwarding without express permission is strictly prohibited and may cause 
liability. In case you have
received this message due to an error in transmission, please notify the sender 
immediately and to delete
this email and any attachment from your system.
-

Re: [squid-users] Squid ACL [url_regex] bypass vulnerability

[Henrik Nordstrom]

On Tue, 15 Feb 2005, Yong Bong Fong wrote:
A bug in Squid allows users to bypass certain access controls by passing a
URL containing %00 which exploits the Squid decoding function.
See http://www.squid-cache.org/Advisories/SQUID-2004_1.txt for details of 
this old vulnerability.

Does it mean that any url containing the symbol % will not work with 
url_regex?
url_regex normalizes the URL, if not it would be trivial to bypass by just 
%nn encoding sensitive parts.

As a sideeffect matching % is not easy.
Regards
Henrik

RE: [squid-users] SQUID- ACL for different time frame for differe nt block of IP addresses.

[Chris Robertson]

 -Original Message-
 From: thomas [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, February 08, 2005 8:16 AM
 To: squid-users@squid-cache.org
 Subject: [squid-users] SQUID- ACL for different time frame for different
 block of IP addresses.
 
 
 Dear All
 Requirement has arisen to provide access to a group of machine
 categorized based on IP address.
 
 ACL created is as follows:-
 
 acl fulltime_ip 10.10.10.40-10.10.10.254
 acl slot1_ip src 10.10.10.25   10.10.10.3010.10.10.35
 acl slot1_time time 08:00-10:00
 acl slot2_ip src 10.10.10.39   10.10.10.40 10.10.10.41
 acl slot2_time time 10:00-12:00
 acl CONNECT method CONNECT
 acl ncsa_users proxy_auth REQUIRED
 
 HTTP_ACCESS statements are as follows:-
 
 http_access allow localhost
 http_access allow ncsa_users
^
All authenticated users (no matter the IP or the time, source or
destination) are allowed access

 http_access allow slot1_ip slot1_time
 http_access allow slot2_ip slot2_time
 http_access allow fulltime_ip
 http_access allow Safe_ports
^
Everyone (no matter the IP or the time) is allowed access to Safe_ports

 http_reply_access allow all
 icp_access allow all
 miss_access allow all
 http_access allow SSL_ports
 http_access deny all
 
 Q1= With above ACL and http_access, machines are not getting denied
 though they are supposed to be denied apart from their specified time
 slot.
 
 Q2= Is the http_access sequence OK? If not what should be?
 
 Q3= Please suggest better way of doing the same?
 
 Q4= Similar to http_access sequence, should I have to take care of acl
 statement sequence too?
 
 TIA

This is probably how you want to do it:

http_access deny !Safe_ports  # Deny anyone from accessing a non-safe port
http_access deny CONNECT !SSL_ports # Deny CONNECT requests to non-SSL ports
http_access deny !ncsa_auth   # Require authentication
http_access allow localhost   # Allow surfing from the local machine (with
authentication)
http_access allow slot1_ip slot1_time  # Allow slot1 IPs during their time
(with authentication)
http_access allow slot2_ip slot2_time  # Allow slot2 IPs during their time
(with authentication)
http_access allow fulltime_ip # Allow fulltime IPs anytime (with
authentication)
http_access deny all  # Just for clarity


icp_access is only useful (to the best of my knowledge) if you have sibling
or child caches.
http_reply_access only needs to be specifically allowed if you are denying
some.


Chris

Re: [squid-users] SQUID- ACL for different time frame for different block of IP addresses.

[Alexander Varga]

Hi Thomas
I am not familiar too, but I write my acl-s different
I deny every trafic I don't want to have

the http_access allow Safe_ports ... allows everything i htink

the restrictions would I write 

acl time1 time 08:00-10:00
acl time2 time 10:00-12:00
http_access deny slot1_ip !time1 
http_access deny slot2_ip !time2

Alexander

--- thomas [EMAIL PROTECTED] wrote:

 Dear All
 Requirement has arisen to provide access to a group of machine
 categorized based on IP address.
 
 ACL created is as follows:-
 
 acl fulltime_ip 10.10.10.40-10.10.10.254
 acl slot1_ip src 10.10.10.25   10.10.10.3010.10.10.35
 acl slot1_time time 08:00-10:00
 acl slot2_ip src 10.10.10.39   10.10.10.40 10.10.10.41
 acl slot2_time time 10:00-12:00
 acl CONNECT method CONNECT
 acl ncsa_users proxy_auth REQUIRED
 
 HTTP_ACCESS statements are as follows:-
 
 http_access allow localhost
 http_access allow ncsa_users
 http_access allow slot1_ip slot1_time
 http_access allow slot2_ip slot2_time
 http_access allow fulltime_ip
 http_access allow Safe_ports
 http_reply_access allow all
 icp_access allow all
 miss_access allow all
 http_access allow SSL_ports
 http_access deny all
 
 Q1= With above ACL and http_access, machines are not getting denied
 though they are supposed to be denied apart from their specified time
 slot.
 
 Q2= Is the http_access sequence OK? If not what should be?
 
 Q3= Please suggest better way of doing the same?
 
 Q4= Similar to http_access sequence, should I have to take care of acl
 statement sequence too?
 
 TIA
 




__ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 

Re: [squid-users] Squid ACL

[Christoph Haas]

On Sun, Sep 12, 2004 at 12:57:16PM +0200, Marek Pawinski wrote:
 I want to bypass my proxy server for a certain https url with a certain 
 port, i have tried with webmin with no luck. What would i put in 
 squid.conf to achieve this ?

What part of squid do you want to bypass? Obviously you cannot bypass
Squid completely by configuring anything in the squid.conf. The moment
that Squid receives the query it is already too late. (Although this is
frequently asked on IRC.) You need to make the browsers not even ask
Squid for that URLs.

Cheers
 Christoph

-- 
~
~
.signature [Modified] 3 lines --100%--3,41 All

Re: [squid-users] squid acl

[Emilio Casbas]

deny1 wrote:
hello good morning
i am setting squid with the ncsa_auth plugin
here is my acls in  squid.conf
Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localdomain src 192.168.0.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl Users proxy_auth REQUIRED



# Only allow cachemgr access from localhost
http_access allow manager localdomain
http_access deny !Users
# Deny requests to unknown ports
http_access allow localdomain
# Deny CONNECT to other than SSL ports
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
when i launched  squid i get
Failed to reconfigure squid :
2004/06/04 08:49:56| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl 
Users proxy_auth REQUIRED' because no authentication schemes are fully 
configured.
2004/06/04 08:49:56| aclParseAclLine: IGNORING invalid ACL: acl Users 
proxy_auth REQUIRED
2004/06/04 08:49:56| squid.conf line 1758: http_access deny !Users
2004/06/04 08:49:56| aclParseAccessLine: ACL name 'Users' not found.
2004/06/04 08:49:56| squid.conf line 1758: http_access deny !Users
2004/06/04 08:49:56| aclParseAccessLine: Access line contains no 
ACL's, skipping

thanks
Who is Users?
see http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth
Emilio C.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [squid-users] squid acl

[deborha malka]

 --- deny1 [EMAIL PROTECTED] a écrit :  hello good
morning
 i am setting squid with the ncsa_auth plugin
 
 here is my acls in  squid.conf
 
 Recommended minimum configuration:
 acl all src 0.0.0.0/0.0.0.0
 acl manager proto cache_object
 acl localdomain src 192.168.0.0/255.255.255.0
 acl to_localhost dst 127.0.0.0/8
 acl SSL_ports port 443 563
 acl Safe_ports port 80
 acl Safe_ports port 21
 acl Safe_ports port 443 563
 acl Safe_ports port 70
 acl Safe_ports port 210
 acl Safe_ports port 1025-65535
 acl Safe_ports port 280
 acl Safe_ports port 488
 acl Safe_ports port 591
 acl Safe_ports port 777
 acl CONNECT method CONNECT
 acl Users proxy_auth REQUIRED
 
 
 
 
 
 
 
 
 # Only allow cachemgr access from localhost
 http_access allow manager localdomain
 http_access deny !Users
 # Deny requests to unknown ports
 http_access allow localdomain
 # Deny CONNECT to other than SSL ports
 http_access deny manager
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 
 
 when i launched  squid i get
 
 Failed to reconfigure squid :
 
 2004/06/04 08:49:56| aclParseAclLine: IGNORING:
 Proxy Auth ACL 'acl 
 Users proxy_auth REQUIRED' because no authentication
 schemes are fully 
 configured.
 2004/06/04 08:49:56| aclParseAclLine: IGNORING
 invalid ACL: acl Users 
 proxy_auth REQUIRED
 2004/06/04 08:49:56| squid.conf line 1758:
 http_access deny !Users
 2004/06/04 08:49:56| aclParseAccessLine: ACL name
 'Users' not found.
 2004/06/04 08:49:56| squid.conf line 1758:
 http_access deny !Users
 2004/06/04 08:49:56| aclParseAccessLine: Access line
 contains no ACL's, 
 skipping
 
 
 thanks 

But you do not 'tell' him the program authentication:
the line with :
authenticate_program /.../ncsa_auth file_with_users !!


=
=
Déborah Malka





Yahoo! Mail : votre e-mail personnel quel que soit votre fournisseur d’accès - avec 
anti-virus gratuit !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! 
Messenger sur http://fr.messenger.yahoo.com

Re: [squid-users] squid acl

[Muthukumar]

 hello good morning
 i am setting squid with the ncsa_auth plugin


What is your authentication program setting in squid.conf file?

Regards,
Muthukumar.



---
===  It is a Virus Free Mail ===
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004

Re: [squid-users] squid acl

[deny1]

Who is Users?
see http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth
ihave created /etc/squid/users and write my users and pass
after i  add in my webmin's authentification plugin
/usr/lib/squid/ncsa_auth  /etc/squid/usersUsers
A++

Re: [squid-users] squid acl

[Emilio Casbas]

deny1 wrote:


Who is Users?
see 
http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth

ihave created /etc/squid/users and write my users and pass
after i  add in my webmin's authentification plugin
/usr/lib/squid/ncsa_auth  /etc/squid/usersUsers
A++

But in your squid.conf isn' it.
You have to put a line
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/usersUsers
then your
acl Users proxy_auth REQUIRED
referer to authentication program or
to be clear
acl ncsa proxy_auth REQUIRED
Now you have to create who will be yours clients for authentication.
Emilio C.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [squid-users] squid acl

[Muthukumar]

  after i  add in my webmin's authentification plugin
  /usr/lib/squid/ncsa_auth  /etc/squid/usersUsers
 

Change the permission of the /etc/squid/usersUsers file to cache_effective_user 
setting user permission.

 You have to put a line
 auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/usersUsers
 then your
 acl Users proxy_auth REQUIRED
 referer to authentication program or
 to be clear
 acl ncsa proxy_auth REQUIRED

 Now you have to create who will be yours clients for authentication.


Check it with command line as
/usr/lib/squid/ncsa_auth  /etc/squid/usersUsers user1 password1  (where user1 - 
username passowrd1 - password for user1)
OK
or
ERR

If you get Ok,the you are having the user in the system and your ncsa_auth method is 
good to patch in Squid.

Regards,
Muthukumar.



---
===  It is a Virus Free Mail ===
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004

Re: [squid-users] squid acl

[deny1]

But you do not 'tell' him the program authentication:
the line with :
authenticate_program /.../ncsa_auth file_with_users !!
 

ok i think its a bad think to use webmin with squid
i prefer now to add directly to squid.conf
so i try
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localdomain src 192.168.0.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl Users proxy_auth REQUIRED
http_access allow manager localdomain
http_access allow localdomain
# Deny requests to unknown ports
http_access deny manager
# Deny CONNECT to other than SSL ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
auth_param basic /usr/lib/squid/ncsa_auth /etc/squid/users
and i get
[EMAIL PROTECTED] squid]# squid -D
2004/06/04 13:10:00| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl 
Users proxy_auth REQUIRED' because no authentication schemes are fully 
configured.
2004/06/04 13:10:00| aclParseAclLine: IGNORING invalid ACL: acl Users 
proxy_auth REQUIRED
2004/06/04 13:10:00| unrecognised basic auth scheme parameter 
'/usr/lib/squid/ncsa_auth'

thanks

RE: [squid-users] Squid ACL

[Angela Burrell]

I don't know if this will solve it but I have this rule at the end of my acl
(denies everything that doesn't match your rule)

http_access deny all

-Original Message-
From: Skarbet [mailto:[EMAIL PROTECTED]
Sent: Monday, May 17, 2004 8:36 AM
To: [EMAIL PROTECTED]
Subject: [squid-users] Squid ACL


Hi,
i'm using squid2.4stable7 and trying to stop user from
downloading large file and access some server.this is
my ACL:

#My Access List
acl limit_conn src 192.168.1.0/24
acl 6conn maxconn 6
acl post method post
acl exe urlpath_regex -i \.exe$
acl local src 192.168.1.0/24
acl download dstdomain .download.com
acl telecharger dstdomain .telecharger.com
acl multimedia urlpath_regex -i \.mp3$ \.mpg$ \.mpeg$
\.rm$ \.avi$ \.asf$ \.wma$ \.wav$ \.wmv$ \.ogg$
\.midi$ \.mov$ \.movie$
acl application urlpath_regex -i \.zip$ \.rar$ \.gz$
\.tgz$ \.bz2$ \.msi$ \.bin$ \.tar$ \.com$
#END My Access List

#My Rules
http_access allow local
http_access deny 6conn limit_conn
http_access deny download
http_access deny telecharger
http_access deny exe !post
http_access deny multimedia
http_access deny application
#END MY RULES

but this does not work !!! can u show
me what's wrong ?






Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez
Yahoo! Messenger sur http://fr.messenger.yahoo.com

Re: [squid-users] Squid ACL

[Arno . STREULI]

Your first ACL allow full access from local network (192.168.1.0/24) if
your user arre inthis range squid will never go furher on the ACL check.
Move the first line at the end. So squid will proceed your deny first.

Ragards,

Arno



   
   
  Skarbet  
   
  [EMAIL PROTECTED]To:   [EMAIL PROTECTED]
  
  fr  cc: 
   
   Subject:  [squid-users]  Squid ACL  
   
  17.05.04 14:36   
   
   
   
   
   




Hi,
i'm using squid2.4stable7 and trying to stop user from
downloading large file and access some server.this is
my ACL:

#My Access List
acl limit_conn src 192.168.1.0/24
acl 6conn maxconn 6
acl post method post
acl exe urlpath_regex -i \.exe$
acl local src 192.168.1.0/24
acl download dstdomain .download.com
acl telecharger dstdomain .telecharger.com
acl multimedia urlpath_regex -i \.mp3$ \.mpg$ \.mpeg$
\.rm$ \.avi$ \.asf$ \.wma$ \.wav$ \.wmv$ \.ogg$
\.midi$ \.mov$ \.movie$
acl application urlpath_regex -i \.zip$ \.rar$ \.gz$
\.tgz$ \.bz2$ \.msi$ \.bin$ \.tar$ \.com$
#END My Access List

#My Rules
http_access allow local
http_access deny 6conn limit_conn
http_access deny download
http_access deny telecharger
http_access deny exe !post
http_access deny multimedia
http_access deny application
#END MY RULES

but this does not work !!! can u show
me what's wrong ?






Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez
Yahoo! Messenger sur http://fr.messenger.yahoo.com







**
DISCLAIMER - E-MAIL
---
The information contained in this E-Mail is intended for the named
recipient(s). It may  contain certain  privileged and confidential
information, or  information  which  is  otherwise  protected from
disclosure. If  you  are  not the intended recipient, you must not
copy,distribute or take any action in reliance on this information
**

Re: [squid-users] Squid ACL

[Christoph Haas]

On Mon, May 17, 2004 at 02:36:20PM +0200, Skarbet wrote:
 i'm using squid2.4stable7 and trying to stop user from
 downloading large file and access some server.this is
 my ACL:
  
 #My Access List 
 acl limit_conn src 192.168.1.0/24
 acl 6conn maxconn 6
 acl post method post 
 acl exe urlpath_regex -i \.exe$
 acl local src 192.168.1.0/24
 acl download dstdomain .download.com
 acl telecharger dstdomain .telecharger.com
 acl multimedia urlpath_regex -i \.mp3$ \.mpg$ \.mpeg$
 \.rm$ \.avi$ \.asf$ \.wma$ \.wav$ \.wmv$ \.ogg$
 \.midi$ \.mov$ \.movie$
 acl application urlpath_regex -i \.zip$ \.rar$ \.gz$
 \.tgz$ \.bz2$ \.msi$ \.bin$ \.tar$ \.com$
 #END My Access List
  
 #My Rules
 http_access allow local
 http_access deny 6conn limit_conn
 http_access deny download
 http_access deny telecharger
 http_access deny exe !post
 http_access deny multimedia
 http_access deny application
 #END MY RULES
  
 but this does not work !!! can u show
 me what's wrong ?

Are you sure you first allow all local IPs through and then want to restrict
them? Or are your clients on different networks than 192.168.1.0/24?

 Christoph

-- 
~
~
.signature [Modified] 3 lines --100%--3,41 All

Re: [squid-users] squid acl help needed

[Henrik Nordstrom]

On Fri, 19 Sep 2003, Payal Rathod wrote:

 What if I have to allow from time 09:00-10:00 and 6:00-07:00 too with
 lunchbreak?
 
 I mean the users can access hotmail, yahoo in the abvoe 3 hours only.

Then replace lunchbreak with the following

acl coffeebreak time 09:00-10:00
acl coffeebreak time 13:00-14:00
acl coffeebreak time 18:00-19:00

Regards
Henrik


note: Squid-2.5.STABLE2 or later required, for earlier versions you need 
to create one ACL per time interval

Re: [squid-users] squid acl help needed

[Payal Rathod]

On Fri, Sep 19, 2003 at 02:14:49PM +0200, Henrik Nordstrom wrote:
 On Fri, 19 Sep 2003, Payal Rathod wrote:
 
  What if I have to allow from time 09:00-10:00 and 6:00-07:00 too with
  lunchbreak?
  
  I mean the users can access hotmail, yahoo in the abvoe 3 hours only.
 
 Then replace lunchbreak with the following
 
 acl coffeebreak time 09:00-10:00
 acl coffeebreak time 13:00-14:00
 acl coffeebreak time 18:00-19:00

Wowww! I thought that three acls by the same name might create a
problem.

-Payal


 Regards
 Henrik
 
 
 note: Squid-2.5.STABLE2 or later required, for earlier versions you need 
 to create one ACL per time interval
 

-- 
For GNU/Linux Success Stories and Articles visit:
  http://payal.staticky.com

RE: [squid-users] squid acl help needed

[Adam Aube]

 Then replace lunchbreak with the following
 
 acl coffeebreak time 09:00-10:00
 acl coffeebreak time 13:00-14:00
 acl coffeebreak time 18:00-19:00
 
 Wowww! I thought that three acls by the same name might
 create a problem.

No, all it does is combine them - just as if you did:

acl coffeebreak time 09:00-10:00 13:00-14:00 18:00-19:00

Both will work.

Adam

Re: [squid-users] squid acl help needed

[Henrik Nordstrom]

On Fri, 19 Sep 2003, Payal Rathod wrote:

 Wowww! I thought that three acls by the same name might create a
 problem.

Not as long as you always stuff the same type of content into the acl.

For most ACLs you can list as many things as you want to match on the same 
line, or on multiple lines.

The time acl is an exception that you can only list a single time per 
line, but you can still list multiple lines.

Regards
Henrik

RE: [squid-users] squid acl help needed

[Adam Aube]

 The time acl is an exception that you can only list a single time
per
 line, but you can still list multiple lines.

That I did not know - thanks for the correction.

Adam

RE: [squid-users] squid acl help needed

[Adam Aube]

 I am at a loss to configure squid acl meeting the following
 requirements.

There is a Squid FAQ on how acl and http_access logic works; read that
if you haven't already.

You'll need src, time, and dstdomain acls to get this to work, and
you'll need to order them in http_acces properly. More info on the
acls is available in the default squid.conf.

If you try a specific setup and it doesn't do what you want, post to
the list again. Explain what it is doing, what you expected it to do,
and provide your squid.conf (without comments or blank lines).

Adam

Re: [squid-users] squid acl help needed

[Henrik Nordstrom]

On Thu, 18 Sep 2003, Payal Rathod wrote:

 Hi,
 I am at a loss to configure squid acl meeting the following
 requirements.
 
 1. All clients must have internet access throughout the day.

acl my_network src 192.168.10.0/24 ...

[used below]

 2. Clients 192.168.10.1, 192.168.10.2, 192.168.10.5 (can be
 changed to something appropriate if you wish) will have access to all
 sites throughout the day.


acl special_clients src 192.168.10.1 ...
http_access allow special_clients

 3. Rest all can access net/other sites throughout but can access yahoo.com and
 hotmail.com *only* during 1:00 pm to 2:00 pm

acl webmail dstdomain .yahoo.com .hotmail.com
acl lunchbreak time 13:00-14:00

http_access deny !lunchbreak webmail
http_access allow my_network


in the order given, where instructed to by the comments in 
the default squid.conf.

Regards
Henrik