New Squid Access Control Fields
-
version 1.01
squid version 2.5.14_2-p7I have several client, which want a proxy server. The requirements are that the proxy must be transparent, and that users can be restricted to only certain sites. I modified the proxy access control to accomplish these goals.
I am not a programmer!!!!
I hacked my way through this stuff and it seems to work well in transparent mode. If people are interested in using this, someone who knows what they are doing needs to verify my changes and additions.
Attached are the squid.inc and xml files. I added .txt (You must be logged in to see them.)- I rearranged the access control entry lists so that the logic follows the http_access line in squid.conf
- I attempted to better explain each role and condition. Someone needs to check this for correctness.
- I added two restricted site lists. They limit access to listed sites by MAC or IP.
If there is an entry in all of my sections, the squid.conf looks like this:
Usual stuff then……………
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin ?
acl allowed_subnets src 192.168.1.0/24 10.177.0.0/16
acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
acl unrestricted_macs arp "/var/squid/acl/unrestricted_macs.acl"
acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
acl banned_macs arp "/var/squid/acl/banned_macs.acl"
acl restrictedlist1 url_regex -i "/var/squid/acl/restrictedlist1.acl"
acl restricted_hosts1 src "/var/squid/acl/restricted_hosts1.acl"
acl restricted_macs1 arp "/var/squid/acl/restricted_macs1.acl"
acl restrictedlist2 url_regex -i "/var/squid/acl/restrictedlist2.acl"
acl restricted_hosts2 src "/var/squid/acl/restricted_hosts2.acl"
acl restricted_macs2 arp "/var/squid/acl/restricted_macs2.acl"
acl whitelist url_regex -i "/var/squid/acl/whitelist.acl"
acl blacklist url_regex -i "/var/squid/acl/blacklist.acl"
no_cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslportshttp_access allow localhost
request_body_max_size 0 KB
reply_body_max_size 0 allow all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/10485760 -1/10485760
delay_initial_bucket_level 100%
delay_access 1 deny unrestricted_hosts
delay_access 1 deny unrestricted_macs
delay_access 1 deny restricted_hosts1
delay_access 1 deny restricted_macs1
delay_access 1 deny restricted_hosts2
delay_access 1 deny restricted_macs2
delay_access 1 allow allhttp_access deny banned_hosts
http_access deny banned_macs
http_access allow unrestricted_hosts
http_access allow unrestricted_macs
http_access allow restrictedlist1 restricted_hosts1
http_access deny restricted_hosts1
http_access allow restrictedlist1 restricted_macs1
http_access deny restricted_macs1
http_access allow restrictedlist2 restricted_hosts2
http_access deny restricted_hosts2
http_access allow restrictedlist1 restricted_macs2
http_access deny restricted_macs2
http_access allow whitelist
http_access deny blacklist
http_access allow allowed_subnets
http_access deny all -
Sorry, I found a mistake squid.conf should read:
http_access allow restrictedlist2 restricted_macs2
not
http_access allow restrictedlist1 restricted_macs2I also removed the restricted lists from the “delay_access 1 deny” entries. Restricted sites should be subject to the same restraints as normal users.
CORRECTED .INC AND .XML FILE ATTACHED BELOW!!!!!!!
new squid.conf:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 192.168.1.1:3128
icp_port 0pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
visible_hostname localhost
cache_mgr admin@localhostcache_access_log /dev/null
cache_log /var/squid/log/cache.log
cache_store_log nonecache_dir diskd /var/squid/cache 100 16 256
cache_mem 8 MB
maximum_object_size 10 KB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
offline_mode offNo redirector configured
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535
acl sslports port 443 563
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin ?
acl allowed_subnets src 192.168.1.0/24
acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
acl unrestricted_macs arp "/var/squid/acl/unrestricted_macs.acl"
acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
acl banned_macs arp "/var/squid/acl/banned_macs.acl"
acl restrictedlist1 url_regex -i "/var/squid/acl/restrictedlist1.acl"
acl restricted_hosts1 src "/var/squid/acl/restricted_hosts1.acl"
acl restricted_macs1 arp "/var/squid/acl/restricted_macs1.acl"
acl restrictedlist2 url_regex -i "/var/squid/acl/restrictedlist2.acl"
acl restricted_hosts2 src "/var/squid/acl/restricted_hosts2.acl"
acl restricted_macs2 arp "/var/squid/acl/restricted_macs2.acl"
acl whitelist url_regex -i "/var/squid/acl/whitelist.acl"
acl blacklist url_regex -i "/var/squid/acl/blacklist.acl"
no_cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslportshttp_access allow localhost
request_body_max_size 0 KB
reply_body_max_size 0 allow all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/10485760 -1/10485760
delay_initial_bucket_level 100%
delay_access 1 deny unrestricted_hosts
delay_access 1 deny unrestricted_macs
delay_access 1 allow allhttp_access deny banned_hosts
http_access deny banned_macs
http_access allow unrestricted_hosts
http_access allow unrestricted_macs
http_access allow restrictedlist1 restricted_hosts1
http_access deny restricted_hosts1
http_access allow restrictedlist1 restricted_macs1
http_access deny restricted_macs1
http_access allow restrictedlist2 restricted_hosts2
http_access deny restricted_hosts2
http_access allow restrictedlist2 restricted_macs2
http_access deny restricted_macs2
http_access allow whitelist
http_access deny blacklist
http_access allow allowed_subnets
http_access deny all
–------------------------------------------------------------------
I’ve removed the old attached squid.inc.txt and added changes.Here is the squid files with .txt added for posting