[squid-users] ACL and http_access

Antony Stone Antony.Stone at squid.open.source.it
Thu Nov 12 16:04:06 UTC 2015 

On Thursday 12 November 2015 at 15:55:10, Magic Link wrote:

> Hi,
> I want people don't have access to Internet, except one hour twice a day
> with only some urls.listed in a file.I use the ACL type "time" and
> "url_regex" but it doesn't work.

Please elaborate on "it doesn't work".

Do you mean people cannot access the Internet when they are supposed to be 
able to?

Do you mean they can access the Internet when they are not supposed to be able 
to?

Do you mean that can access sites which they are not supposed to access?

What, specifically, does and does not work?

> I think i don't do well with the order of http_access too.  Is it possible
> with squid only to do what i want ? Here is my squid.conf :

> acl network src 10.2.0.0/16
> acl working_hours time MTWHF 09:30-10:30
> acl out_working_hours MTWHF 17:30-18:30
> acl whitelist url_regex "/etc/squid3/allow.acl"

We need to see the contents (or at least, some examples) from that file.

> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager

> http_access allow localhost
> http_access deny out_working_hours
> http_access allow working_hours whitelist
> http_access allow network
> http_access deny all

So the above 5 directives will:

1. Allow access from the local machine (good).

2. Deny access from anywhere between M-F 17:30-18:30 - is that really what you 
meant?  You said you want to allow access for one hour twice a day, yet here 
you are denying access during a one hour timeslot.

3. Allow access from anywhere M-F 09:30-10:30 to sites matching your regex 
list.

4. Allow access from any address 10.2.0.0/16 - this looks bad

5. Deny anything else.

> http_port 3128
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp:		1440	20%	10080
> refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
> refresh_pattern .		0	20%	4320
> debug_options 28,4

I would suggest (assuming your regex list is good) trying:

http_access allow localhost
http_access allow network working_hours whitelist
http_access allow network out_working_hours whitelist
http_access deny all

The above should allow access from 10.2.0.0/16 to the sites in your regex list 
between the hours 09:30-10:30 and 17:30-18:30 M-F

If that isn't what you wanted, please specify the requirement and we'll see if 
we can help further.



Antony.

-- 
+++ Divide By Cucumber Error.  Please Reinstall Universe And Reboot +++

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list