New Squid Access Control Fields



  • version 1.01
    squid version 2.5.14_2-p7

    I have several client, which want a proxy server. The requirements are that the proxy must be transparent, and that users can be restricted to only certain sites. I modified the proxy access control to accomplish these goals.

    I am not a programmer!!!!

    I hacked my way through this stuff and it seems to work well in transparent mode. If people are interested in using this, someone who knows what they are doing needs to verify my changes and additions.
    Attached are the squid.inc and xml files. I added .txt (You must be logged in to see them.)

    1. I rearranged the access control entry lists so that the logic follows the http_access line in squid.conf
    2. I attempted to better explain each role and condition. Someone needs to check this for correctness.
    3. I added two restricted site lists. They limit access to listed sites by MAC or IP.

    If there is an entry in all of my sections, the squid.conf  looks like this:

    Usual stuff then……………

    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    acl allowed_subnets src 192.168.1.0/24 10.177.0.0/16
    acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
    acl unrestricted_macs arp "/var/squid/acl/unrestricted_macs.acl"
    acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
    acl banned_macs arp "/var/squid/acl/banned_macs.acl"
    acl restrictedlist1 url_regex -i "/var/squid/acl/restrictedlist1.acl"
    acl restricted_hosts1 src "/var/squid/acl/restricted_hosts1.acl"
    acl restricted_macs1 arp "/var/squid/acl/restricted_macs1.acl"
    acl restrictedlist2 url_regex -i "/var/squid/acl/restrictedlist2.acl"
    acl restricted_hosts2 src "/var/squid/acl/restricted_hosts2.acl"
    acl restricted_macs2 arp "/var/squid/acl/restricted_macs2.acl"
    acl whitelist url_regex -i "/var/squid/acl/whitelist.acl"
    acl blacklist url_regex -i "/var/squid/acl/blacklist.acl"
    no_cache deny dynamic
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    http_access allow localhost

    request_body_max_size 0 KB
    reply_body_max_size 0 allow all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/10485760 -1/10485760
    delay_initial_bucket_level 100%
    delay_access 1 deny unrestricted_hosts
    delay_access 1 deny unrestricted_macs
    delay_access 1 deny restricted_hosts1
    delay_access 1 deny restricted_macs1
    delay_access 1 deny restricted_hosts2
    delay_access 1 deny restricted_macs2
    delay_access 1 allow all

    http_access deny banned_hosts
    http_access deny banned_macs
    http_access allow unrestricted_hosts
    http_access allow unrestricted_macs
    http_access allow restrictedlist1 restricted_hosts1
    http_access deny restricted_hosts1
    http_access allow restrictedlist1 restricted_macs1
    http_access deny restricted_macs1
    http_access allow restrictedlist2 restricted_hosts2
    http_access deny restricted_hosts2
    http_access allow restrictedlist1 restricted_macs2
    http_access deny restricted_macs2
    http_access allow whitelist
    http_access deny blacklist
    http_access allow allowed_subnets
    http_access deny all



  • Sorry, I found a mistake squid.conf should read:
    http_access allow restrictedlist2 restricted_macs2
    not
    http_access allow restrictedlist1 restricted_macs2

    I also removed the restricted lists from the “delay_access 1 deny” entries. Restricted sites should be subject to the same restraints as normal users.

    CORRECTED .INC AND .XML FILE ATTACHED BELOW!!!!!!!

    new squid.conf:

    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    http_port 192.168.1.1:3128
    icp_port 0

    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    visible_hostname localhost
    cache_mgr admin@localhost

    cache_access_log /dev/null
    cache_log /var/squid/log/cache.log
    cache_store_log none

    cache_dir diskd /var/squid/cache 100 16 256
    cache_mem 8 MB
    maximum_object_size 10 KB
    minimum_object_size 0 KB
    cache_replacement_policy heap LFUDA
    memory_replacement_policy heap GDSF
    offline_mode off

    No redirector configured

    acl all src 0.0.0.0/0
    acl localhost src 127.0.0.1
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535
    acl sslports port 443 563
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    acl allowed_subnets src 192.168.1.0/24
    acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
    acl unrestricted_macs arp "/var/squid/acl/unrestricted_macs.acl"
    acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
    acl banned_macs arp "/var/squid/acl/banned_macs.acl"
    acl restrictedlist1 url_regex -i "/var/squid/acl/restrictedlist1.acl"
    acl restricted_hosts1 src "/var/squid/acl/restricted_hosts1.acl"
    acl restricted_macs1 arp "/var/squid/acl/restricted_macs1.acl"
    acl restrictedlist2 url_regex -i "/var/squid/acl/restrictedlist2.acl"
    acl restricted_hosts2 src "/var/squid/acl/restricted_hosts2.acl"
    acl restricted_macs2 arp "/var/squid/acl/restricted_macs2.acl"
    acl whitelist url_regex -i "/var/squid/acl/whitelist.acl"
    acl blacklist url_regex -i "/var/squid/acl/blacklist.acl"
    no_cache deny dynamic
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    http_access allow localhost

    request_body_max_size 0 KB
    reply_body_max_size 0 allow all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/10485760 -1/10485760
    delay_initial_bucket_level 100%
    delay_access 1 deny unrestricted_hosts
    delay_access 1 deny unrestricted_macs
    delay_access 1 allow all

    http_access deny banned_hosts
    http_access deny banned_macs
    http_access allow unrestricted_hosts
    http_access allow unrestricted_macs
    http_access allow restrictedlist1 restricted_hosts1
    http_access deny restricted_hosts1
    http_access allow restrictedlist1 restricted_macs1
    http_access deny restricted_macs1
    http_access allow restrictedlist2 restricted_hosts2
    http_access deny restricted_hosts2
    http_access allow restrictedlist2 restricted_macs2
    http_access deny restricted_macs2
    http_access allow whitelist
    http_access deny blacklist
    http_access allow allowed_subnets
    http_access deny all
    –------------------------------------------------------------------
    I’ve removed the old attached squid.inc.txt and added changes.

    Here is the squid files with .txt added for posting

    squid.inc.txt
    squid_nac.xml.txt


Log in to reply