allow certian user ips to access only 2 domains and disallow everything

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

allow certian user ips to access only 2 domains and disallow everything

simon ben
I have squid running perfectly fine on centos 7 64 bit with no issues
I want to allow certain user ips to access a few sites and block everything else so below is the config
the sites are 
1) paloaltonetworks.com
2) redcloak.secureworks.com

in squid.conf
-------------------
acl userlist src "/etc/squid/userlist"
acl sitelist dstdomain "/etc/squid/sitelist"
http_access allow userlist sitelist

-------------------

user list file has the ips
-----------
192.168.62.128
192.168.62.1
192.168.62.129
192.168.61.1
192.168.62.130
192.168.62.3
192.168.61.128
172.16.120.160
------------------------------

site list file has the sites
----------------------------------------
.paloaltonetworks.com
.secureworks.com
https://ch-baladia.traps.paloaltonetworks.com
baladia.xdr.eu.paloaltonetworks.com
identity.paloaltonetworks.com
login.paloaltonetworks.com
assets.adobedtm.com
www.paloaltonetworks.com
redcloak.secureworks.com

------------------------------------------------

I see that the first page and some links are working but some do not . also there is a huge deny logs in squid access logs
appreciate if you can advise me on how i can have the above access list so as to have minimum denies when being accessed from the above ips


Thanks and Regards


simon  




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allow certian user ips to access only 2 domains and disallow everything

Amos Jeffries
Administrator
On 16/10/20 10:21 pm, simon ben wrote:
> I have squid running perfectly fine on centos 7 64 bit with no issues
> I want to allow certain user ips to access a few sites and block
> everything else so below is the config
> the sites areĀ 
> 1) paloaltonetworks.com
> 2) redcloak.secureworks.com
>

Notice the sitelist file contains the entire range of *.secureworks.com
domains and some others.


> in squid.conf
> -------------------
> acl userlist src "/etc/squid/userlist"
> acl sitelist dstdomain "/etc/squid/sitelist"


# allow certain user ips to access a few sites
> http_access allow userlist sitelist
>

# ...  and block everything else

?? nothing specified for that part of your policy.


So, you need to followup with either:

  http_access deny all

or,

  http_access deny userips


> -------------------
>
> user list file has the ips
> -----------
> 192.168.62.128
> 192.168.62.1
> 192.168.62.129
> 192.168.61.1
> 192.168.62.130
> 192.168.62.3
> 192.168.61.128
> 172.16.120.160
> ------------------------------
>

Er, these are not "users" these are IP addresses. Aka clients.

The difference is important because one machine/IP can be used by
multiple users. There is no difference to the proxy whether the IP is
switched between users or shared by multiple simultaneously.

Also, sorting the file can ease management. There are some entries which
could be represented by a IP-range for more efficient matching instead
of listed individually.



> site list file has the sites
> ----------------------------------------
> .paloaltonetworks.com
> .secureworks.com
> https://ch-baladia.traps.paloaltonetworks.com
> baladia.xdr.eu.paloaltonetworks.com
> identity.paloaltonetworks.com
> login.paloaltonetworks.com
> assets.adobedtm.com
> www.paloaltonetworks.com
> redcloak.secureworks.com
>
> ------------------------------------------------
>
> I see that the first page and some links are working but some do not .

Only the first two lines of that file are "sites".

The third is a URL. This will never match with dstdomain.

The rest are individual domains. They will only match the one domain
within their site.

Also, most of your entries are sub-domains of the sites listed on the
first lines. The contents of this file redux to:


  .paloaltonetworks.com
  .secureworks.com
  assets.adobedtm.com


However, your stated policy says that it should only contain:

  .paloaltonetworks.com
  .redcloak.secureworks.com


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allow certian user ips to access only 2 domains and disallow everything

simon ben
Dear Amos,

Thanks for the quick reply
will check and let you know


regards

simon

On Saturday, October 17, 2020, 06:06:13 AM GMT+3, Amos Jeffries <[hidden email]> wrote:


On 16/10/20 10:21 pm, simon ben wrote:
> I have squid running perfectly fine on centos 7 64 bit with no issues
> I want to allow certain user ips to access a few sites and block
> everything else so below is the config
> the sites are 
> 1) paloaltonetworks.com
> 2) redcloak.secureworks.com
>

Notice the sitelist file contains the entire range of *.secureworks.com
domains and some others.


> in squid.conf
> -------------------
> acl userlist src "/etc/squid/userlist"
> acl sitelist dstdomain "/etc/squid/sitelist"


# allow certain user ips to access a few sites
> http_access allow userlist sitelist
>

# ...  and block everything else

?? nothing specified for that part of your policy.


So, you need to followup with either:

  http_access deny all

or,

  http_access deny userips


> -------------------
>
> user list file has the ips
> -----------
> 192.168.62.128
> 192.168.62.1
> 192.168.62.129
> 192.168.61.1
> 192.168.62.130
> 192.168.62.3
> 192.168.61.128
> 172.16.120.160
> ------------------------------
>

Er, these are not "users" these are IP addresses. Aka clients.

The difference is important because one machine/IP can be used by
multiple users. There is no difference to the proxy whether the IP is
switched between users or shared by multiple simultaneously.

Also, sorting the file can ease management. There are some entries which
could be represented by a IP-range for more efficient matching instead
of listed individually.



> site list file has the sites
> ----------------------------------------
> .paloaltonetworks.com
> .secureworks.com
> https://ch-baladia.traps.paloaltonetworks.com
> baladia.xdr.eu.paloaltonetworks.com
> identity.paloaltonetworks.com
> login.paloaltonetworks.com
> assets.adobedtm.com
> www.paloaltonetworks.com
> redcloak.secureworks.com
>
> ------------------------------------------------
>
> I see that the first page and some links are working but some do not .

Only the first two lines of that file are "sites".

The third is a URL. This will never match with dstdomain.

The rest are individual domains. They will only match the one domain
within their site.

Also, most of your entries are sub-domains of the sites listed on the
first lines. The contents of this file redux to:


  .paloaltonetworks.com
  .secureworks.com
  assets.adobedtm.com


However, your stated policy says that it should only contain:


  .paloaltonetworks.com
  .redcloak.secureworks.com



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users