ACL advise

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ACL advise

squid squid
I would like to setup squid as follows :

Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
(http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
domain (interdept.abc.com)

Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
(http://intranet.abc.com/def and http://apps.intranet.abc.com/def)

Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
(http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)

All 3 groups can access URL http://public.abc.com/abc and domain
public.def.com

All other users in 10.1.1.x and 10.1.2.x are not allow to access anything.

All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can access
everything on the intranet.

Is my following configuration correct:

Thank you.

acl clients-seg-1 src 10.1.1.0/8
acl clients-seg-2 src 10.1.2.0/8

acl common-allow-url url_regex http://public.abc.com/abc
acl common-allow-domain dstdomain public.def.com

http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
!clients-grp3

acl clients-grp1 src 10.1.1.10 10.1.1.11
acl clients-grp1-allow-domain dstdomain interdept.abc.com
acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc 
http://apps.intranet.abc.com/abc

http_access allow clients-grp1 clients-grp1-allow-domain
clients-grp1-allow-url common-allow-url common-allow-domain
http_access deny clients-grp1 !clients-grp1-allow-domain
!clients-grp1-allow-url !common-allow-url !common-allow-domain


acl clients-grp2 src 10.1.1.12 10.1.1.13
acl clients-grp2-allow-url url_regex http://intranet.abc.com/def 
http://apps.intranet.abc.com/def

http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
common-allow-domain
http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
!common-allow-domain


acl clients-grp3 src 10.1.2.20 10.1.2.21
acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz 
http://apps.intranet.abc.com/xyz
http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
common-allow-domain
http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
!common-allow-domain


http_access allow all

_________________________________________________________________
Get the new Windows Live Messenger! http://get.live.com/messenger/overview

Reply | Threaded
Open this post in threaded view
|

RE: ACL advise

Mark Barlow
I'm no expert but from what I do know, this is what I would suggest, hope it
helps.

Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the subnet
mask would be 255.0.0.0 I suspect from what you have written above you mean
to use a class C netmask (255.255.255.0) on the class A IP range, in which
case your lines should read

acl clients-seg-1 src 10.1.1.0/24
acl clients-seg-2 src 10.1.2.0/24

You can then isolate your specific IP addresses

acl group-1 src 10.1.1.10-10.1.1.11/24
acl group-2 src 10.1.1.12-10.1.1.13/24
acl group-3 src 10.1.2.20-10.1.2.21/24

Other users not in the groups specified i.e. 10.1.3.x, etc can have another
acl

alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc

We then look at what pages are allowed

Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
Acl group1-dom dstdom-regex -i interdept.abc.com
Acl group2-url url-regex -i intranet.abc.com/def apps.intranet.abc.com/def
Acl group3-url url-regex -i intranet.abc.com/xyz apps.intranet.abc.com/xyz
Acl all-groups-url url-regex -i public.abc.com/abc
Acl all-groups-dom dstdom-regex -i public.def.com
Acl intranet dstdom-regex -i intranet.url

Having set up the acls now we look at the access.  These rules are applied
in order.

http_access allow group-1 group1-url
http_access allow group-1 group1-dom
http_access allow group-2 group2-url
http_access allow group-3 group3-url
http_access allow group-1 all-groups-url
http_access allow group-2 agll-groups-url
http_access allow group-3 all-groups-url
http_access allow group-1 all-groups-dom
http_access allow group-2 all-groups-dom
http_access allow group-3 all-groups-dom
http_access allow all-others intranet

http_access deny all

The rules get looked at in turn, unless a client matches the rule with it's
request it will get mopped up by the deny all (assuming you have left the
acl all src 0.0.0.0/0.0.0.0)



-----Original Message-----
From: squid squid [mailto:[hidden email]]
Sent: 18 May 2007 13:35
To: [hidden email]
Subject: [squid-users] ACL advise

I would like to setup squid as follows :

Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
(http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
domain (interdept.abc.com)

Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
(http://intranet.abc.com/def and http://apps.intranet.abc.com/def)

Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
(http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)

All 3 groups can access URL http://public.abc.com/abc and domain
public.def.com

All other users in 10.1.1.x and 10.1.2.x are not allow to access anything.

All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can access
everything on the intranet.

Is my following configuration correct:

Thank you.

acl clients-seg-1 src 10.1.1.0/8
acl clients-seg-2 src 10.1.2.0/8


acl common-allow-url url_regex http://public.abc.com/abc
acl common-allow-domain dstdomain public.def.com

http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
!clients-grp3

acl clients-grp1 src 10.1.1.10 10.1.1.11
acl clients-grp1-allow-domain dstdomain interdept.abc.com
acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc 
http://apps.intranet.abc.com/abc

http_access allow clients-grp1 clients-grp1-allow-domain
clients-grp1-allow-url common-allow-url common-allow-domain
http_access deny clients-grp1 !clients-grp1-allow-domain
!clients-grp1-allow-url !common-allow-url !common-allow-domain


acl clients-grp2 src 10.1.1.12 10.1.1.13
acl clients-grp2-allow-url url_regex http://intranet.abc.com/def 
http://apps.intranet.abc.com/def

http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
common-allow-domain
http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
!common-allow-domain


acl clients-grp3 src 10.1.2.20 10.1.2.21
acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz 
http://apps.intranet.abc.com/xyz
http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
common-allow-domain
http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
!common-allow-domain


http_access allow all

_________________________________________________________________
Get the new Windows Live Messenger! http://get.live.com/messenger/overview



Reply | Threaded
Open this post in threaded view
|

RE: ACL advise

squid squid
Hi,

Thank you for the advise.

Can I have the access and deny as follows:

http_access allow group-1 group1-url
http_access allow group-1 group1-dom
http_access allow group-2 group2-url
http_access allow group-3 group3-url
http_access allow group-1 all-groups-url
http_access allow group-2 agll-groups-url
http_access allow group-3 all-groups-url
http_access allow group-1 all-groups-dom
http_access allow group-2 all-groups-dom
http_access allow group-3 all-groups-dom
http_access deny clients-seg-1
http_access deny clients-seg-2

http_access allow all

Regards.

>From: "Mark Barlow" <[hidden email]>
>To: "'squid squid'" <[hidden email]>, <[hidden email]>
>Subject: RE: [squid-users] ACL advise
>Date: Fri, 18 May 2007 14:32:53 +0100
>
>I'm no expert but from what I do know, this is what I would suggest, hope
>it
>helps.
>
>Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
>10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the subnet
>mask would be 255.0.0.0 I suspect from what you have written above you mean
>to use a class C netmask (255.255.255.0) on the class A IP range, in which
>case your lines should read
>
>acl clients-seg-1 src 10.1.1.0/24
>acl clients-seg-2 src 10.1.2.0/24
>
>You can then isolate your specific IP addresses
>
>acl group-1 src 10.1.1.10-10.1.1.11/24
>acl group-2 src 10.1.1.12-10.1.1.13/24
>acl group-3 src 10.1.2.20-10.1.2.21/24
>
>Other users not in the groups specified i.e. 10.1.3.x, etc can have another
>acl
>
>alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc
>
>We then look at what pages are allowed
>
>Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
>Acl group1-dom dstdom-regex -i interdept.abc.com
>Acl group2-url url-regex -i intranet.abc.com/def apps.intranet.abc.com/def
>Acl group3-url url-regex -i intranet.abc.com/xyz apps.intranet.abc.com/xyz
>Acl all-groups-url url-regex -i public.abc.com/abc
>Acl all-groups-dom dstdom-regex -i public.def.com
>Acl intranet dstdom-regex -i intranet.url
>
>Having set up the acls now we look at the access.  These rules are applied
>in order.
>
>http_access allow group-1 group1-url
>http_access allow group-1 group1-dom
>http_access allow group-2 group2-url
>http_access allow group-3 group3-url
>http_access allow group-1 all-groups-url
>http_access allow group-2 agll-groups-url
>http_access allow group-3 all-groups-url
>http_access allow group-1 all-groups-dom
>http_access allow group-2 all-groups-dom
>http_access allow group-3 all-groups-dom
>http_access allow all-others intranet
>
>http_access deny all
>
>The rules get looked at in turn, unless a client matches the rule with it's
>request it will get mopped up by the deny all (assuming you have left the
>acl all src 0.0.0.0/0.0.0.0)
>
>
>
>-----Original Message-----
>From: squid squid [mailto:[hidden email]]
>Sent: 18 May 2007 13:35
>To: [hidden email]
>Subject: [squid-users] ACL advise
>
>I would like to setup squid as follows :
>
>Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
>(http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
>domain (interdept.abc.com)
>
>Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
>(http://intranet.abc.com/def and http://apps.intranet.abc.com/def)
>
>Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
>(http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)
>
>All 3 groups can access URL http://public.abc.com/abc and domain
>public.def.com
>
>All other users in 10.1.1.x and 10.1.2.x are not allow to access anything.
>
>All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can access
>everything on the intranet.
>
>Is my following configuration correct:
>
>Thank you.
>
>acl clients-seg-1 src 10.1.1.0/8
>acl clients-seg-2 src 10.1.2.0/8
>
>
>acl common-allow-url url_regex http://public.abc.com/abc
>acl common-allow-domain dstdomain public.def.com
>
>http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
>!clients-grp3
>
>acl clients-grp1 src 10.1.1.10 10.1.1.11
>acl clients-grp1-allow-domain dstdomain interdept.abc.com
>acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
>http://apps.intranet.abc.com/abc
>
>http_access allow clients-grp1 clients-grp1-allow-domain
>clients-grp1-allow-url common-allow-url common-allow-domain
>http_access deny clients-grp1 !clients-grp1-allow-domain
>!clients-grp1-allow-url !common-allow-url !common-allow-domain
>
>
>acl clients-grp2 src 10.1.1.12 10.1.1.13
>acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
>http://apps.intranet.abc.com/def
>
>http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
>common-allow-domain
>http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
>!common-allow-domain
>
>
>acl clients-grp3 src 10.1.2.20 10.1.2.21
>acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
>http://apps.intranet.abc.com/xyz
>http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
>common-allow-domain
>http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
>!common-allow-domain
>
>
>http_access allow all
>
>_________________________________________________________________
>Get the new Windows Live Messenger! http://get.live.com/messenger/overview
>
>
>

_________________________________________________________________
Get MSN Messenger emoticons and display pictures here!
http://ilovemessenger.msn.com/?mkt=en-sg

Reply | Threaded
Open this post in threaded view
|

Re: ACL advise

Amos Jeffries
Administrator
squid squid wrote:

> Hi,
>
> Thank you for the advise.
>
> Can I have the access and deny as follows:
>
> http_access allow group-1 group1-url
> http_access allow group-1 group1-dom
> http_access allow group-2 group2-url
> http_access allow group-3 group3-url
> http_access allow group-1 all-groups-url
> http_access allow group-2 agll-groups-url
> http_access allow group-3 all-groups-url
> http_access allow group-1 all-groups-dom
> http_access allow group-2 all-groups-dom
> http_access allow group-3 all-groups-dom
> http_access deny clients-seg-1
> http_access deny clients-seg-2
>
> http_access allow all
>
> Regards.
>
>> From: "Mark Barlow" <[hidden email]>
>> To: "'squid squid'" <[hidden email]>, <[hidden email]>
>> Subject: RE: [squid-users] ACL advise
>> Date: Fri, 18 May 2007 14:32:53 +0100
>>
>> I'm no expert but from what I do know, this is what I would suggest,
>> hope it
>> helps.
>>
>> Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
>> 10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the
>> subnet
>> mask would be 255.0.0.0 I suspect from what you have written above you
>> mean
>> to use a class C netmask (255.255.255.0) on the class A IP range, in
>> which
>> case your lines should read
>>
>> acl clients-seg-1 src 10.1.1.0/24
>> acl clients-seg-2 src 10.1.2.0/24
>>
>> You can then isolate your specific IP addresses
>>
>> acl group-1 src 10.1.1.10-10.1.1.11/24
>> acl group-2 src 10.1.1.12-10.1.1.13/24
>> acl group-3 src 10.1.2.20-10.1.2.21/24
>>
>> Other users not in the groups specified i.e. 10.1.3.x, etc can have
>> another
>> acl
>>
>> alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc
>>
>> We then look at what pages are allowed
>>
>> Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
>> Acl group1-dom dstdom-regex -i interdept.abc.com
>> Acl group2-url url-regex -i intranet.abc.com/def
>> apps.intranet.abc.com/def
>> Acl group3-url url-regex -i intranet.abc.com/xyz
>> apps.intranet.abc.com/xyz
>> Acl all-groups-url url-regex -i public.abc.com/abc
>> Acl all-groups-dom dstdom-regex -i public.def.com
>> Acl intranet dstdom-regex -i intranet.url
>>
>> Having set up the acls now we look at the access.  These rules are
>> applied
>> in order.
>>
>> http_access allow group-1 group1-url
>> http_access allow group-1 group1-dom
>> http_access allow group-2 group2-url
>> http_access allow group-3 group3-url
>> http_access allow group-1 all-groups-url
>> http_access allow group-2 agll-groups-url
>> http_access allow group-3 all-groups-url
>> http_access allow group-1 all-groups-dom
>> http_access allow group-2 all-groups-dom
>> http_access allow group-3 all-groups-dom
>> http_access allow all-others intranet
>>
>> http_access deny all
>>
>> The rules get looked at in turn, unless a client matches the rule with
>> it's
>> request it will get mopped up by the deny all (assuming you have left the
>> acl all src 0.0.0.0/0.0.0.0)
>>
>>
>>
>> -----Original Message-----
>> From: squid squid [mailto:[hidden email]]
>> Sent: 18 May 2007 13:35
>> To: [hidden email]
>> Subject: [squid-users] ACL advise
>>
>> I would like to setup squid as follows :
>>
>> Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
>> (http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
>> domain (interdept.abc.com)
>>
>> Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
>> (http://intranet.abc.com/def and http://apps.intranet.abc.com/def)
>>
>> Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
>> (http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)
>>
>> All 3 groups can access URL http://public.abc.com/abc and domain
>> public.def.com
>>
>> All other users in 10.1.1.x and 10.1.2.x are not allow to access
>> anything.
>>
>> All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can
>> access
>> everything on the intranet.
>>
>> Is my following configuration correct:
>>
>> Thank you.
>>
>> acl clients-seg-1 src 10.1.1.0/8
>> acl clients-seg-2 src 10.1.2.0/8
>>
>>
>> acl common-allow-url url_regex http://public.abc.com/abc
>> acl common-allow-domain dstdomain public.def.com
>>
>> http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
>> !clients-grp3
>>
>> acl clients-grp1 src 10.1.1.10 10.1.1.11
>> acl clients-grp1-allow-domain dstdomain interdept.abc.com
>> acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
>> http://apps.intranet.abc.com/abc
>>
>> http_access allow clients-grp1 clients-grp1-allow-domain
>> clients-grp1-allow-url common-allow-url common-allow-domain
>> http_access deny clients-grp1 !clients-grp1-allow-domain
>> !clients-grp1-allow-url !common-allow-url !common-allow-domain
>>
>>
>> acl clients-grp2 src 10.1.1.12 10.1.1.13
>> acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
>> http://apps.intranet.abc.com/def
>>
>> http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
>> common-allow-domain
>> http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
>> !common-allow-domain
>>
>>
>> acl clients-grp3 src 10.1.2.20 10.1.2.21
>> acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
>> http://apps.intranet.abc.com/xyz
>> http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
>> common-allow-domain
>> http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
>> !common-allow-domain
>>
>>
>> http_access allow all

That last line will allow *anyone* *anywhere* to access anything the
proxy can resolve (all of the internet!).
Be *very* sure you want that to happen before using "allow all" as a
default.

The earlier suggested config with an 'acl all-intranet 10.x.x.x/n ....'
was on the mark for a much more secure proxy setup that still does what
you want.

Amos
Reply | Threaded
Open this post in threaded view
|

Re: ACL advise

squid squid
Thank you to all who have provided the advise. Have use the deny all as the
last entry to be on the safe side.


>From: Amos Jeffries <[hidden email]>
>To: squid squid <[hidden email]>
>CC: [hidden email], [hidden email]
>Subject: Re: [squid-users] ACL advise
>Date: Sat, 19 May 2007 04:19:11 +1200
>
>squid squid wrote:
>>Hi,
>>
>>Thank you for the advise.
>>
>>Can I have the access and deny as follows:
>>
>>http_access allow group-1 group1-url
>>http_access allow group-1 group1-dom
>>http_access allow group-2 group2-url
>>http_access allow group-3 group3-url
>>http_access allow group-1 all-groups-url
>>http_access allow group-2 agll-groups-url
>>http_access allow group-3 all-groups-url
>>http_access allow group-1 all-groups-dom
>>http_access allow group-2 all-groups-dom
>>http_access allow group-3 all-groups-dom
>>http_access deny clients-seg-1
>>http_access deny clients-seg-2
>>
>>http_access allow all
>>
>>Regards.
>>
>>>From: "Mark Barlow" <[hidden email]>
>>>To: "'squid squid'" <[hidden email]>, <[hidden email]>
>>>Subject: RE: [squid-users] ACL advise
>>>Date: Fri, 18 May 2007 14:32:53 +0100
>>>
>>>I'm no expert but from what I do know, this is what I would suggest, hope
>>>it
>>>helps.
>>>
>>>Your starting 2 ACl's don't make sense, an 8 bit class A subnet mask on
>>>10.1.1.0 will cover all addresses from 10.0.0.0 - 10.255.255.255 the
>>>subnet
>>>mask would be 255.0.0.0 I suspect from what you have written above you
>>>mean
>>>to use a class C netmask (255.255.255.0) on the class A IP range, in
>>>which
>>>case your lines should read
>>>
>>>acl clients-seg-1 src 10.1.1.0/24
>>>acl clients-seg-2 src 10.1.2.0/24
>>>
>>>You can then isolate your specific IP addresses
>>>
>>>acl group-1 src 10.1.1.10-10.1.1.11/24
>>>acl group-2 src 10.1.1.12-10.1.1.13/24
>>>acl group-3 src 10.1.2.20-10.1.2.21/24
>>>
>>>Other users not in the groups specified i.e. 10.1.3.x, etc can have
>>>another
>>>acl
>>>
>>>alc all-others src 10.1.3.0/24 10.1.4.0/24 etc etc
>>>
>>>We then look at what pages are allowed
>>>
>>>Acl group1-url url-regex -i intranet.abc.com apps.intranet.abc.com/abc
>>>Acl group1-dom dstdom-regex -i interdept.abc.com
>>>Acl group2-url url-regex -i intranet.abc.com/def
>>>apps.intranet.abc.com/def
>>>Acl group3-url url-regex -i intranet.abc.com/xyz
>>>apps.intranet.abc.com/xyz
>>>Acl all-groups-url url-regex -i public.abc.com/abc
>>>Acl all-groups-dom dstdom-regex -i public.def.com
>>>Acl intranet dstdom-regex -i intranet.url
>>>
>>>Having set up the acls now we look at the access.  These rules are
>>>applied
>>>in order.
>>>
>>>http_access allow group-1 group1-url
>>>http_access allow group-1 group1-dom
>>>http_access allow group-2 group2-url
>>>http_access allow group-3 group3-url
>>>http_access allow group-1 all-groups-url
>>>http_access allow group-2 agll-groups-url
>>>http_access allow group-3 all-groups-url
>>>http_access allow group-1 all-groups-dom
>>>http_access allow group-2 all-groups-dom
>>>http_access allow group-3 all-groups-dom
>>>http_access allow all-others intranet
>>>
>>>http_access deny all
>>>
>>>The rules get looked at in turn, unless a client matches the rule with
>>>it's
>>>request it will get mopped up by the deny all (assuming you have left the
>>>acl all src 0.0.0.0/0.0.0.0)
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: squid squid [mailto:[hidden email]]
>>>Sent: 18 May 2007 13:35
>>>To: [hidden email]
>>>Subject: [squid-users] ACL advise
>>>
>>>I would like to setup squid as follows :
>>>
>>>Group 1 users (10.1.1.10 and 10.1.1.11) only able to access 2 URLs
>>>(http://intranet.abc.com/abc and http://apps.intranet.abc.com/abc) and 1
>>>domain (interdept.abc.com)
>>>
>>>Group 2 users (10.1.1.12 and 10.1.1.13) only able to access 2 URLs
>>>(http://intranet.abc.com/def and http://apps.intranet.abc.com/def)
>>>
>>>Group 3 users (10.1.2.20 and 10.1.2.21) only able to access 2 URLs
>>>(http://intranet.abc.com/xyz and http://apps.intranet.abc.com/xyz)
>>>
>>>All 3 groups can access URL http://public.abc.com/abc and domain
>>>public.def.com
>>>
>>>All other users in 10.1.1.x and 10.1.2.x are not allow to access
>>>anything.
>>>
>>>All other users not in the above group (10.1.3.x, 10.1.4.x, etc) can
>>>access
>>>everything on the intranet.
>>>
>>>Is my following configuration correct:
>>>
>>>Thank you.
>>>
>>>acl clients-seg-1 src 10.1.1.0/8
>>>acl clients-seg-2 src 10.1.2.0/8
>>>
>>>
>>>acl common-allow-url url_regex http://public.abc.com/abc
>>>acl common-allow-domain dstdomain public.def.com
>>>
>>>http_access deny clients-seg-1 clients-seg-2 !clients-grp1 !clients-grp2
>>>!clients-grp3
>>>
>>>acl clients-grp1 src 10.1.1.10 10.1.1.11
>>>acl clients-grp1-allow-domain dstdomain interdept.abc.com
>>>acl clients-grp1-allow-url url_regex http://intranet.abc.com/abc
>>>http://apps.intranet.abc.com/abc
>>>
>>>http_access allow clients-grp1 clients-grp1-allow-domain
>>>clients-grp1-allow-url common-allow-url common-allow-domain
>>>http_access deny clients-grp1 !clients-grp1-allow-domain
>>>!clients-grp1-allow-url !common-allow-url !common-allow-domain
>>>
>>>
>>>acl clients-grp2 src 10.1.1.12 10.1.1.13
>>>acl clients-grp2-allow-url url_regex http://intranet.abc.com/def
>>>http://apps.intranet.abc.com/def
>>>
>>>http_access allow clients-grp2 clients-grp2-allow-url common-allow-url
>>>common-allow-domain
>>>http_access deny clients-grp2 !clients-grp2-allow-url !common-allow-url
>>>!common-allow-domain
>>>
>>>
>>>acl clients-grp3 src 10.1.2.20 10.1.2.21
>>>acl clients-grp3-allow-url url_regex http://intranet.abc.com/xyz
>>>http://apps.intranet.abc.com/xyz
>>>http_access allow clients-grp3 clients-grp3-allow-url common-allow-url
>>>common-allow-domain
>>>http_access deny clients-grp3 !clients-grp3-allow-url !common-allow-url
>>>!common-allow-domain
>>>
>>>
>>>http_access allow all
>
>That last line will allow *anyone* *anywhere* to access anything the proxy
>can resolve (all of the internet!).
>Be *very* sure you want that to happen before using "allow all" as a
>default.
>
>The earlier suggested config with an 'acl all-intranet 10.x.x.x/n ....' was
>on the mark for a much more secure proxy setup that still does what you
>want.
>
>Amos

_________________________________________________________________
Find singles online in your area with MSN Dating and Match.com!
http://cp.intl.match.com/eng/msn/msnsg/wbc/wbc.html

Reply | Threaded
Open this post in threaded view
|

Controlling msn messenger and or yahoo messenger via squid

Peter Koinnage
In reply to this post by squid squid
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --> I finally was able to control use of msn messenger adn yahoo
messenger via squid. It not perfect but it works



Please find below guides to allow msn messenger and yahoo messenger
access on squid if iptables ports are closed and/or ipforwarding is
diabled ( please note in yahoo messsenger select use option connection
option -> firewall with no proxies)


- --> Rules below allow ip  192.168.1.235 to access only yahoo messenger
and yahoo subdomain sites

acl yahoo_dst dstdomain  .yahoo.com .imgag.com .llnwd.net  .msads.net
.yimg.com
acl allow_yahoo_messenger src 192.168.1.235

http_access allow allow_yahoo_messenger yahoo_dst




- --> Rules below allow ip  192.168.1.235 to access only msn messenger and
msn subdomain sites

acl MSN_SITE dstdomain .msn.com .hotmail.com
acl MSN req_mime_type ^application/x-msn-messenger$
acl MSN_SITE2 dst 207.46.107.0/255.255.255.0 207.46.108.0/255.255.255.0
207.46.109.0/255.255.255.0 207.46.110.0/255.255.255.0
64.4.36.0/255.255.255.0 207.46
.26.0/255.255.255.0 207.46.111.0/255.255.255.0

acl allow_msn_only src 192.168.1.235


http_access allow allow_msn_only MSN
http_access allow allow_msn_only MSN_SITE
http_access allow allow_msn_only MSN_SITE2


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFGUcGd6d5U1aOiE/ARAtr3AJ9r/IjlEW/y1I3iOBXgU+HkapsncgCfYopz
e1SyU22HEQAHoJw5Totb3X8=
=Hy97
-----END PGP SIGNATURE-----

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: Controlling msn messenger and or yahoo messenger via squid

Peter Koinnage
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It isn ot perfect but can refined to completely restict access to IM


k

Peter Koinange wrote:

>
> --> I finally was able to control use of msn messenger adn yahoo
> messenger via squid. It not perfect but it works
>
>
>
> Please find below guides to allow msn messenger and yahoo messenger
> access on squid if iptables ports are closed and/or ipforwarding is
> diabled ( please note in yahoo messsenger select use option connection
> option -> firewall with no proxies)
>
>
> --> Rules below allow ip  192.168.1.235 to access only yahoo messenger
> and yahoo subdomain sites
>
> acl yahoo_dst dstdomain  .yahoo.com .imgag.com .llnwd.net  .msads.net
> .yimg.com
> acl allow_yahoo_messenger src 192.168.1.235
>
> http_access allow allow_yahoo_messenger yahoo_dst
>
>
>
>
> --> Rules below allow ip  192.168.1.235 to access only msn messenger and
> msn subdomain sites
>
> acl MSN_SITE dstdomain .msn.com .hotmail.com
> acl MSN req_mime_type ^application/x-msn-messenger$
> acl MSN_SITE2 dst 207.46.107.0/255.255.255.0 207.46.108.0/255.255.255.0
> 207.46.109.0/255.255.255.0 207.46.110.0/255.255.255.0
> 64.4.36.0/255.255.255.0 207.46
> .26.0/255.255.255.0 207.46.111.0/255.255.255.0
>
> acl allow_msn_only src 192.168.1.235
>
>
> http_access allow allow_msn_only MSN
> http_access allow allow_msn_only MSN_SITE
> http_access allow allow_msn_only MSN_SITE2
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFGUcVE6d5U1aOiE/ARAjxcAJ9N1nlcmfsCJGxHGBsBKAxJ5TP7cwCghsBs
69zP5vtfP1NTOMDdfwT4gGg=
=2/YD
-----END PGP SIGNATURE-----

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.