Allow specific set of IP to access a specific set of URL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Allow specific set of IP to access a specific set of URL

Arjun K
Hi Team

Could you please let me know how to define an acl so that a specific set of IPs can access alone a specific set of URLs.
How to define such ACL.

acl <aclname> src "iplist.txt"
acl allowedurl src "url.txt"
http_access <aclname> allowedurl

The above configuration results in ERROR 403 in the logs.

Also, I have an existing configuration which should not get affected and it should not interfere in the rules which were allowed for the servers previously.


Kindly help me in getting the acl so that a specific set of IP can access set of URLs without losing access to other sites which are present already in the configuration.


Regards
Arjun K.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow specific set of IP to access a specific set of URL

Klaus Brandl
The acl for the url must be of type url_regex, or something else:

acl allowedurl url_regex "url.txt"

Regards

Klaus

Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K:

> Hi Team
>
> Could you please let me know how to define an acl so that a specific
> set of IPs can access alone a specific set of URLs.
> How to define such ACL.
>
> acl <aclname> src "iplist.txt"
> acl allowedurl src "url.txt"
> http_access <aclname> allowedurl
>
> The above configuration results in ERROR 403 in the logs.
>
> Also, I have an existing configuration which should not get affected
> and it should not interfere in the rules which were allowed for the
> servers previously.
>
>
> Kindly help me in getting the acl so that a specific set of IP can
> access set of URLs without losing access to other sites which are
> present already in the configuration.
>
>
> Regards
> Arjun K.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow specific set of IP to access a specific set of URL

Amos Jeffries
Administrator
On 24/02/21 10:14 pm, Klaus Brandl wrote:
> The acl for the url must be of type url_regex, or something else:
>
> acl allowedurl url_regex "url.txt"
>

This line tells Squid to load a file full of regex patterns. Nothing more.


The http_access line is the list of rules that determines when those
loaded values are tested against a URL, and what happens when the URL
matches (or not) any of the patterns.


>
> Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K:
>> Hi Team
>>
>> Could you please let me know how to define an acl so that a specific
>> set of IPs can access alone a specific set of URLs.


Have you read the docs on how Squid does access control?
 
<https://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together>

The example config you showed indicates a lack of understanding the
syntax. That understanding is key to these things actually working the
way you want.


Lets look at your stated requirements:

 >  define an acl

acl okay_urls url_regex "/etc/squid/url.txt"


 > a specific set of IPs can access alone a specific set of URLs.

That sentence is an access policy. It has three parts:

   1) "set of IPs"

  I have assumed from the "can access" words that you mean client IPs.
Which in networking are the TCP src-IP value.

So ...

    acl set_of_IPs src 192.0.2.1 192.0.2.45 192.0.2.156

   2) "set of URLs"

So ...

     acl set_of_urls url_regex "/etc/squid/url.txt"


   3) "can access alone"

I assume that means you want these IPs to access the URLs. But no others
to be able to access those same URLs.

So ...
   # permit set_of_ips
   http_access allow set_of_ips set_of_urls
   http_access deny set_of_urls



 > Also, I have an existing configuration which should not get affected
 > and it should not interfere in the rules which were allowed for the
 > servers previously.

The most important word there is "previously".

This is where *you* understanding how Squid access controls fit together
matters *a lot*.

The first http_access line that matches entirely will _end_ processing
of the 'http_access' sequence. The action (allow/deny) specified on that
matched line will be done.

So where you place the above http_access lines determine which
transactions will be able to reach and be tested by them.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Allow specific set of IP to access a specific set of URL

Arjun K
Thanks Amos and Klauss for your response.


On Wednesday, 24 February, 2021, 05:03:57 pm IST, Amos Jeffries <[hidden email]> wrote:


On 24/02/21 10:14 pm, Klaus Brandl wrote:
> The acl for the url must be of type url_regex, or something else:
>
> acl allowedurl url_regex "url.txt"
>

This line tells Squid to load a file full of regex patterns. Nothing more.


The http_access line is the list of rules that determines when those
loaded values are tested against a URL, and what happens when the URL
matches (or not) any of the patterns.


>
> Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K:
>> Hi Team
>>
>> Could you please let me know how to define an acl so that a specific
>> set of IPs can access alone a specific set of URLs.


Have you read the docs on how Squid does access control?

<https://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together>

The example config you showed indicates a lack of understanding the
syntax. That understanding is key to these things actually working the
way you want.


Lets look at your stated requirements:

>  define an acl

acl okay_urls url_regex "/etc/squid/url.txt"


> a specific set of IPs can access alone a specific set of URLs.

That sentence is an access policy. It has three parts:

  1) "set of IPs"

  I have assumed from the "can access" words that you mean client IPs.
Which in networking are the TCP src-IP value.

So ...

    acl set_of_IPs src 192.0.2.1 192.0.2.45 192.0.2.156

  2) "set of URLs"

So ...

    acl set_of_urls url_regex "/etc/squid/url.txt"


  3) "can access alone"

I assume that means you want these IPs to access the URLs. But no others
to be able to access those same URLs.

So ...
  # permit set_of_ips
  http_access allow set_of_ips set_of_urls
  http_access deny set_of_urls



> Also, I have an existing configuration which should not get affected
> and it should not interfere in the rules which were allowed for the
> servers previously.

The most important word there is "previously".

This is where *you* understanding how Squid access controls fit together
matters *a lot*.

The first http_access line that matches entirely will _end_ processing
of the 'http_access' sequence. The action (allow/deny) specified on that
matched line will be done.

So where you place the above http_access lines determine which
transactions will be able to reach and be tested by them.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users