[squid-users] Basic explanation on configuration

Amos Jeffries squid3 at treenet.co.nz
Mon Aug 10 22:46:36 UTC 2020 

On 10/08/20 8:43 pm, Roberto Nunnari wrote:
> Hello.
> 
>  
> 
> I need to build a new linux server with squid to replace an old one.
> 
> The old server is running squid version 3.3.8 and authenticates against
> Active Directory. In the conf I see ldap, ntlm, kerberos and negotiator
> + wbinfo.
> 
>  
> 
> The new server is running squid version 4.4.8. I’m trying to keep it
> simple and keep the conf file clean.
> 
> That’s why for authentication and authorization I try to use only
> basic_ldap_auth and ext_ldap_group_acl.
> 
>  
> 
> I would like to understand the basics of squid.conf but I find the
> online documentation is missing the basics.. for instance I believe the
> acl directive uses logical ‘and’ when using multiple values on the same
> line, and uses logical ‘or’ when using multiple lines for the same acl
> name..
> 


Which part of the online documentation are you looking at?

On the official website (<http://www.squid-cache.org/>) menu under
"Documentation" we have several sources:

 * Reference guide - for detailed description of a specific directive if
you are needing reminder of usage or specific details of its operation.

 * Examples - how-to config snippets for common installation needs.

 * Books for learning Squid; beginners guide, and expert reference.

 * FAQ and Wiki for more up to date alternative to the books.


> 
> That is something it should be written clear in the documentation. Maybe
> it is somewhere, but I could not find that information.
> 

 <https://wiki.squid-cache.org/SquidFaq/SquidAcl#And.2FOr_logic>


> 
> Same for http_access.. how does it works? What happens when the first
> match is found? It applies the rule and exits or it goes on to the next
> lines?
> 

<https://wiki.squid-cache.org/SquidFaq/SquidAcl#Access_Lists>


> 
> What I need to implement is more or less this :
> 
>  

> 5)      Some websites are forbidden for everybody

  acl blacklist dstdomain ...
  http_access deny blacklist


> 
> 1)      Every user needs to provide valid username and password (from AD).
> 

 auth_param ...

 acl login proxy_auth REQUIRED
 http_access deny !login


> 4)      Some websites are accessible without being in group 2) or in
file 3)
>

  acl whitelist dstdomain ...
  http_access allow whitelist


> 2)      Users who belongs to a given AD group, can go on and access the
> internet
> 

  external_acl_type groups ...

  acl groupCheck external groupName
  http_access allow groupCheck


> > 6)      Some websites are allowed only for users in group 2)

  acl forbidOthers dstdomain ...


> 3)      Other users need to be inside a file. If they are found in that
> file, they can access the internet
> 

  acl otherUsers proxy_auth parameters("/etc/squid/usernames_allowed")
  http_access allow !forbidOthers otherUsers

  http_accss deny all


Note the order of policy enforcement. Deny as much as possible first,
allow later. Faster ACL types first whenever possible.

Amos

More information about the squid-users mailing list