Allow specific set of IP to access a specific set of URL
Locked
 
|
Hi Team Could you please let me know how to define an acl so that a specific set of IPs can access alone a specific set of URLs. How to define such ACL. acl <aclname> src "iplist.txt" acl allowedurl src "url.txt" http_access <aclname> allowedurl The above configuration results in ERROR 403 in the logs. Also, I have an existing configuration which should not get affected and it should not interfere in the rules which were allowed for the servers previously. Kindly help me in getting the acl so that a specific set of IP can access set of URLs without losing access to other sites which are present already in the configuration. Regards Arjun K. _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Re: Allow specific set of IP to access a specific set of URL
|
|
The acl for the url must be of type url_regex, or something else:
acl allowedurl url_regex "url.txt" Regards Klaus Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K: > Hi Team > > Could you please let me know how to define an acl so that a specific > set of IPs can access alone a specific set of URLs. > How to define such ACL. > > acl <aclname> src "iplist.txt" > acl allowedurl src "url.txt" > http_access <aclname> allowedurl > > The above configuration results in ERROR 403 in the logs. > > Also, I have an existing configuration which should not get affected > and it should not interfere in the rules which were allowed for the > servers previously. > > > Kindly help me in getting the acl so that a specific set of IP can > access set of URLs without losing access to other sites which are > present already in the configuration. > > > Regards > Arjun K. > _______________________________________________ > squid-users mailing list > [hidden email] > http://lists.squid-cache.org/listinfo/squid-users squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Re: Allow specific set of IP to access a specific set of URL
|
Administrator
|
On 24/02/21 10:14 pm, Klaus Brandl wrote:
> The acl for the url must be of type url_regex, or something else: > > acl allowedurl url_regex "url.txt" > This line tells Squid to load a file full of regex patterns. Nothing more. The http_access line is the list of rules that determines when those loaded values are tested against a URL, and what happens when the URL matches (or not) any of the patterns. > > Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K: >> Hi Team >> >> Could you please let me know how to define an acl so that a specific >> set of IPs can access alone a specific set of URLs. Have you read the docs on how Squid does access control? <https://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together> The example config you showed indicates a lack of understanding the syntax. That understanding is key to these things actually working the way you want. Lets look at your stated requirements: > define an acl acl okay_urls url_regex "/etc/squid/url.txt" > a specific set of IPs can access alone a specific set of URLs. That sentence is an access policy. It has three parts: 1) "set of IPs" I have assumed from the "can access" words that you mean client IPs. Which in networking are the TCP src-IP value. So ... acl set_of_IPs src 192.0.2.1 192.0.2.45 192.0.2.156 2) "set of URLs" So ... acl set_of_urls url_regex "/etc/squid/url.txt" 3) "can access alone" I assume that means you want these IPs to access the URLs. But no others to be able to access those same URLs. So ... # permit set_of_ips http_access allow set_of_ips set_of_urls http_access deny set_of_urls > Also, I have an existing configuration which should not get affected > and it should not interfere in the rules which were allowed for the > servers previously. The most important word there is "previously". This is where *you* understanding how Squid access controls fit together matters *a lot*. The first http_access line that matches entirely will _end_ processing of the 'http_access' sequence. The action (allow/deny) specified on that matched line will be done. So where you place the above http_access lines determine which transactions will be able to reach and be tested by them. Amos _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
|
|
Thanks Amos and Klauss for your response.
On Wednesday, 24 February, 2021, 05:03:57 pm IST, Amos Jeffries <[hidden email]> wrote:
On 24/02/21 10:14 pm, Klaus Brandl wrote: > The acl for the url must be of type url_regex, or something else: > > acl allowedurl url_regex "url.txt" > This line tells Squid to load a file full of regex patterns. Nothing more. The http_access line is the list of rules that determines when those loaded values are tested against a URL, and what happens when the URL matches (or not) any of the patterns. > > Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K: >> Hi Team >> >> Could you please let me know how to define an acl so that a specific >> set of IPs can access alone a specific set of URLs. Have you read the docs on how Squid does access control? <https://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together> The example config you showed indicates a lack of understanding the syntax. That understanding is key to these things actually working the way you want. Lets look at your stated requirements: > define an acl acl okay_urls url_regex "/etc/squid/url.txt" > a specific set of IPs can access alone a specific set of URLs. That sentence is an access policy. It has three parts: 1) "set of IPs" I have assumed from the "can access" words that you mean client IPs. Which in networking are the TCP src-IP value. So ... acl set_of_IPs src 192.0.2.1 192.0.2.45 192.0.2.156 2) "set of URLs" So ... acl set_of_urls url_regex "/etc/squid/url.txt" 3) "can access alone" I assume that means you want these IPs to access the URLs. But no others to be able to access those same URLs. So ... # permit set_of_ips http_access allow set_of_ips set_of_urls http_access deny set_of_urls > Also, I have an existing configuration which should not get affected > and it should not interfere in the rules which were allowed for the > servers previously. The most important word there is "previously". This is where *you* understanding how Squid access controls fit together matters *a lot*. The first http_access line that matches entirely will _end_ processing of the 'http_access' sequence. The action (allow/deny) specified on that matched line will be done. So where you place the above http_access lines determine which transactions will be able to reach and be tested by them. Amos _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
«
Return to Squid - Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |