[squid-users] restriction of sites to a subnet

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 1 16:47:34 UTC 2015


On 2/09/2015 1:28 a.m., jake driscoll wrote:
> here is my requirement:
> 
>> i have a subnet
>> only a small list of sites need to be allowed access to this subnet
>> this subnet should not get access to any other site except the ones in the
> list
>> access for other users will remain the same
> 
> I tried the following
> 
> acl station-ip src 192.168.1.0/24
> acl station-domain dstdomain www.google.com www.bbc.com
> http_access deny station-ip !station-domain


That is correct for "subnet should not get access to any other site
except the ones in the list".


But you had more requirements in your description ...


 ... "sites need to be allowed access to this subnet"

Meaning you need an allow line somewhere that does that allowing.
Such a line might exist in your config already in another form.

At worst adding this line directly underneath the ones above will cause
that policy requirement to happen as well:

   http_access allow station-ip


 ... "access for other users will remain the same"

Without seeing your full squid.conf http_access rules and all associated
ACL definitions we can't help with that "the same" part. Except to say:

   Order is IMPORTANT.

Where you place a http_access line in the sequence with *all* other
http_access rules matters a LOT about whether it is even tested, whether
it will match at that time, and what will happen.

I *guess* you need to place these four new lines near the top of your
list of http_access list right under the default configs "CONNECT
!SSL_ports" line.


> 
> and also this -
> http_access deny station-ip
> http_access allow station-ip station-domain
> 

Good example of what I mean about order affecting matching.

100% of all traffic from station-ip will match that "deny" line.

The "allow" line will only be reached by non-'station-ip' traffic. It
will thus _never_ match, and does nothing.


Amos


More information about the squid-users mailing list