[squid-users] Help with acl's
Hello, I have searched and read until I wanna bang my head. What I want squid to do: I have 6 internet computers that will access the internet (they have static ip's) and 2 homework computers (also static) that will only have access (whitelist) to a couple of websites (www.tutor.com for example). I am running squid 2.6.Stable3. My squid.conf looks like this: #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT a bunch of comments, then: #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks acl scorpio src 192.168.5.21 http_access allow scorpio # And finally deny all other access to this proxy http_access deny all In this configuration I get access denied to any website I go to. When I change http_access allow all obviously everything works. So I enabled debug_options All,1 28,9 and this is what I get: 2006/09/01 11:05:33| Reconfiguring Squid Cache (version 2.6.STABLE3)... 2006/09/01 11:05:33| FD 9 Closing HTTP connection 2006/09/01 11:05:33| FD 11 Closing ICP connection 2006/09/01 11:05:33| DNS Socket created at 0.0.0.0, port 32775, FD 8 2006/09/01 11:05:33| Adding nameserver 192.168.5.5 from /etc/resolv.conf 2006/09/01 11:05:33| Adding nameserver 192.168.5.7 from /etc/resolv.conf 2006/09/01 11:05:33| Accepting proxy HTTP connections at 192.168.5.249, port 3128, FD 9. 2006/09/01 11:05:33| Accepting ICP messages at 0.0.0.0, port 3130, FD 11. 2006/09/01 11:05:33| WCCP Disabled. 2006/09/01 11:05:33| Loaded Icons. 2006/09/01 11:05:33| Ready to serve requests. 2006/09/01 11:05:46| aclCheckFast: list: 0x926b228 2006/09/01 11:05:46| aclMatchAclList: checking all 2006/09/01 11:05:46| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2006/09/01 11:05:46| aclMatchIp: '192.168.5.249' found 2006/09/01 11:05:46| aclMatchAclList: returning 1 2006/09/01 11:05:47| aclCheck: checking 'http_access allow manager localhost' 2006/09/01 11:05:47| aclMatchAclList: checking manager 2006/09/01 11:05:47| aclMatchAcl: checking 'acl manager proto cache_object' 2006/09/01 11:05:47| aclMatchAclList: no match, returning 0 2006/09/01 11:05:47| aclCheck: checking 'http_access deny manager' 2006/09/01 11:05:47| aclMatchAclList: checking manager 2006/09/01 11:05:47| aclMatchAcl: checking 'acl manager proto cache_object' 2006/09/01 11:05:47| aclMatchAclList: no match, returning 0 2006/09/01 11:05:47| aclCheck: checking 'http_access deny !Safe_ports' 2006/09/01 11:05:47| aclMatchAclList: checking !Safe_ports 2006/09/01 11:05:47| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2006/09/01 11:05:47| aclMatchAclList: no match, returning 0 2006/09/01 11:05:47| aclCheck: checking 'http_access deny CONNECT !SSL_ports' 2006/09/01 11:05:47| aclMatchAclList: checking CONNECT 2006/09/01 11:05:47| aclMatchAcl: checking 'acl CONNECT method CONNECT' 2006/09/01 11:05:47| aclMatchAclList: no match, returning 0 2006/09/01 11:05:47| aclCheck: checking 'http_access allow scorpio' 2006/09/01 11:05:47| aclMatchAclList: checking scorpio 2006/09/01 11:05:47| aclMatchAcl: checking 'acl scorpio src 192.168.5.21' 2006/09/01 11:05:47| aclMatchIp: '192.168.5.249' NOT found 2006/09/01 11:05:47| aclMatchAclList: no match, returning 0 2006/09/01 11:05:47| aclCheck: checking 'http_access deny all' 2006/09/01 11:05:47| aclMatchAclList: checking all 2006/09/01 11:05:47| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2006/09/01 11:05:47| aclMatchIp: '192.168.5.249' found 2006/09/01 11:05:47| aclMatchAclList: returning 1 2006/09/01 11:05:47| aclCheck: match found, returning 0 2006/09/01 11:05:47| aclCheckCallback: answer=0 There is a few things in their I don't get. Maybe somebody does and can tell me I am missing
Re: [squid-users] Help with acl's
fre 2006-09-01 klockan 11:35 -0500 skrev Jason: # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks acl scorpio src 192.168.5.21 http_access allow scorpio The above allows 192.168.5.21 access. There is no other rules so it's only that address who is allowed access. 2006/09/01 11:05:47| aclMatchAcl: checking 'acl scorpio src 192.168.5.21' 2006/09/01 11:05:47| aclMatchIp: '192.168.5.249' NOT found This says the request came from 192.168.5.249, not 192.168.5.21. Are you running some other proxy infront of Squid perhaps? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Help with ACL's
Hi, I have a complex ACL running on Squid for which i would like some help to find out how i can allow websites and their sub domains to be allowed.. acl special_client src 192.168.10.5 acl special_url url_regex ^http://www.abc.com http_access allow special_client special_url http_access deny special_url The above works fine and allows access to the website above for the client shown above but i want to be able to also allow all sub domain for the website abc.com. How can i do this without typing in every website on the same domain? eg http://ad.abc.com, http://abdcg.abc.com Your help much appreciated.. Regards, Greg Disclaimer : This email and it's attachments are confidential. If you are not the intended recipient you must not disclose, distribute or re-produce any of it's contents as it may be a breach of confidentiality. If you have received this message in error, please advise us immediately by return email and delete the entire document. Ramelec Pty Ltd cannot guarantee the security of any information electronically transmitted across the Internet. Ramelec Pty Ltd does not accept responsibility for improper or incomplete information within this message, any delay in it's receipt and that this message is free of any known Virus. The address from which this email has been sent is strictly intended for business email only and Ramelec Pty Ltd reserves the right to monitor / alter it's contents at it's discretion. This message has been scanned for the presence of known Virus's by Gordano's GMS Virus Protection Package.
Re: [squid-users] Help with ACL's
On Mon, 6 Sep 2004 13:10:29 +0930, Greg Darby [EMAIL PROTECTED] wrote: Hi, I have a complex ACL running on Squid for which i would like some help to find out how i can allow websites and their sub domains to be allowed.. acl special_client src 192.168.10.5 acl special_url url_regex ^http://www.abc.com http_access allow special_client special_url http_access deny special_url The above works fine and allows access to the website above for the client shown above but i want to be able to also allow all sub domain for the website abc.com. How can i do this without typing in every website on the same domain? eg http://ad.abc.com, http://abdcg.abc.com I think: acl special_url url_regex \.abc\.com Would do it. --- Regards, Rob Hadfield.
Re: [squid-users] Help with ACL's
On Mon, 6 Sep 2004 14:50:30 +1000, Rob H [EMAIL PROTECTED] wrote: On Mon, 6 Sep 2004 13:10:29 +0930, Greg Darby [EMAIL PROTECTED] wrote: Hi, I have a complex ACL running on Squid for which i would like some help to find out how i can allow websites and their sub domains to be allowed.. acl special_client src 192.168.10.5 acl special_url url_regex ^http://www.abc.com http_access allow special_client special_url http_access deny special_url The above works fine and allows access to the website above for the client shown above but i want to be able to also allow all sub domain for the website abc.com. How can i do this without typing in every website on the same domain? eg http://ad.abc.com, http://abdcg.abc.com I think: acl special_url url_regex \.abc\.com Would do it. --- Regards, Rob Hadfield. Or even better: acl special_url dstdomain .abc.com Take a look at the docs at: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.1
RE: [squid-users] Help with ACL's
The dstdomain directive solved my problem Thanks a million Rod! Regards, Greg Or even better: acl special_url dstdomain .abc.com -Original Message- From: Rob H [mailto:[EMAIL PROTECTED] Sent: Monday, 6 September 2004 2:23 PM To: [EMAIL PROTECTED] Subject: Re: [squid-users] Help with ACL's On Mon, 6 Sep 2004 14:50:30 +1000, Rob H [EMAIL PROTECTED] wrote: On Mon, 6 Sep 2004 13:10:29 +0930, Greg Darby [EMAIL PROTECTED] wrote: Hi, I have a complex ACL running on Squid for which i would like some help to find out how i can allow websites and their sub domains to be allowed.. acl special_client src 192.168.10.5 acl special_url url_regex ^http://www.abc.com http_access allow special_client special_url http_access deny special_url The above works fine and allows access to the website above for the client shown above but i want to be able to also allow all sub domain for the website abc.com. How can i do this without typing in every website on the same domain? eg http://ad.abc.com, http://abdcg.abc.com I think: acl special_url url_regex \.abc\.com Would do it. --- Regards, Rob Hadfield. Or even better: acl special_url dstdomain .abc.com Take a look at the docs at: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.1 Disclaimer : This email and it's attachments are confidential. If you are not the intended recipient you must not disclose, distribute or re-produce any of it's contents as it may be a breach of confidentiality. If you have received this message in error, please advise us immediately by return email and delete the entire document. Ramelec Pty Ltd cannot guarantee the security of any information electronically transmitted across the Internet. Ramelec Pty Ltd does not accept responsibility for improper or incomplete information within this message, any delay in it's receipt and that this message is free of any known Virus. The address from which this email has been sent is strictly intended for business email only and Ramelec Pty Ltd reserves the right to monitor / alter it's contents at it's discretion. This message has been scanned for the presence of known Virus's by Gordano's GMS Virus Protection Package.
[squid-users] help with ACL's
I'm trying to configure squid so I can use the squid statistics graphing package available at: http://wessels.squid-cache.org/squid-rrd/ The situation is that I need cachemgr.cgi access from localhost without a password, but I need to have a password for it everywhere else somebody tries to access it. I'm not sure how to write an acl, or otherwise configure squid for this. Any recommendations? Mike Saunders Systems Administration Magic Internet Services, Inc. (701) 838-1265 (701) 857-0238 (voicemail) [EMAIL PROTECTED] http://www.minot.com
Re: [squid-users] help with ACL's
http_access is an ordered list of rules. The first http_access rule where all listed acls is true will determine the fate of this request. So you can do something like this: http_access allow manager localhost http_access allow manager localnetwork password assuming localhost is an acl matching the source of the local host, localnetwork matching your local networks and password an proxy_auth acl requiring login.. You cannot use the simple cachemgr_passwd for selective access control, but neither do you need to as shown above.. for more detailed access control levels you can use the urlpath acl to match specific cachemgr actions. Regards Henrik lör 2003-01-25 klockan 16.24 skrev Mike Saunders: I'm trying to configure squid so I can use the squid statistics graphing package available at: http://wessels.squid-cache.org/squid-rrd/ The situation is that I need cachemgr.cgi access from localhost without a password, but I need to have a password for it everywhere else somebody tries to access it. I'm not sure how to write an acl, or otherwise configure squid for this. Any recommendations? Mike Saunders Systems Administration Magic Internet Services, Inc. (701) 838-1265 (701) 857-0238 (voicemail) [EMAIL PROTECTED] http://www.minot.com -- Henrik Nordstrom [EMAIL PROTECTED] MARA Systems AB, Sweden
