On 22/01/2013 2:22 a.m., Marcus Kool wrote:
Although Squid ACLs can do almost anything they are not the simplest
thing to configure. A URL redirector like ufdbGuard offloads work from Squid
and can do the same thing using a more intuitive configuration:


I don't see how {} syntax with lots of "pass none" inside else conditions can be more intuitive.
Note the following direct 1:1 translation of UFDB syntax into Squid syntax.

Also, the overheads of using the URL redirector interface to Squid place a lot of limitations on what transaction details can be tested for and additional processing Squid must perform in order to utilize the helpers results.

PS. if this is the main pull ufdbGuard has nowdays would you consider joining the squid dev team and helping the efforts to further improve the squid.conf syntax, parse, and ACL processing?


source admin {
   ip 10.77.88.47
}

acl admin src 10.77.88.47

source managers {
   ip 10.77.88.42-10.77.88.46
}

acl managers src 10.77.88.42-10.77.88.46

source classroom {
   ip 10.77.88.1-10.77.88.41
}

acl classroom src 10.77.88.1-10.77.88.41

category whitelist01 {
   domainlist ".../whitelist01/domains"
}

acl whitelist01 dstdomain ".../whitelist01/domains"


category blacklist01 {
   domainlist ".../blacklist01/domains"
}
acl blacklist01 dstdomain ".../blacklist01/domains"

time workinghours {
   weekly mon,tue,wed,thu,fri 09:00 - 17:00
}
acl workinghours time MTWHF 0900-17:00

acl {
   admin { pass any }

http_access allow admin

managers within workinghours { pass whitelist01 none } else { pass none }
http_access allow managers workinghours whitelist01

classroom within workinghours { pass !blacklist01 any } else { pass none }

http_access allow classroom workinghours !blacklist01

default { pass none }

http_access deny all


}

Marcus


On 01/21/2013 07:33 AM, Helmut Hullen wrote:
Hallo, Artur,

Du meintest am 21.01.13:

I've tried many times and I can not do it, please help :(

I have 2 classrooms total 40 PC's
  +5 manager PC's
  +1 administrator
So IP range is
10.77.88.1-10.77.88.41 - for classroom
10.77.88.42-10.77.88.46 - for managers
10.77.88.47 - admin

Task:
1)Internet only for this 46 hosts 10.77.88.1-10.77.88.47
2)Classroom and managers can access internet only workdays from 9 to
17
3)Classroom have blacklist of sites in file for what access is
denied
4)Managers only can visit white list sites in file, all other
blocked
5)Admin can visit any web at any time
6)In weekends (A S) access only by authentification

Iam new to squid so I have difficulty to do this, I was able to set
access by days and time for one range, but how to join this with
white black list and other ranges for manager and admin +
authentication o_o I dont get how this http_access deny access work,
in what order, can someone provide solution for my task?I will be
very grateful

You seem to live in germany, perhaps you should look at "linux-user" 2/
2013, p. 16 ... 20 ("Squid als Spiel- und Social-Network-Bremse").


I'd try the following "http_access" order (untested):

acl localnet src 10.77.88.1-10.77.88.47
acl admin 10.77.88.47
http_access deny !localnet
# all others get fired

acl admin 10.77.88.47
http_access allow admin
# they are privileged

acl blacklist src "/etc/squid/blacklist"
acl schueler 10.77.88.1-10.77.88.41
http_access allow !schueler
# managers have more rights
# you may define a special acl for managers; it's not necessary in this
# example

http_access allow schueler !blacklist
# pupils are restricted

http_access deny all
# all other cases

-------------------------

The time restrictions are not implemented; take a look at listing 1 in
the above mentioned article.

Viele Gruesse!
Helmut



Reply via email to