[squid-users] R: Basic explanation on configuration

Roberto Nunnari roberto.nunnari at edu.ti.ch
Thu Aug 13 15:00:14 UTC 2020 

Thank you for your precious help, Amos.
It was very helpful. :-)

Best regards.
Robi


-----Messaggio originale-----
Da: squid-users <squid-users-bounces at lists.squid-cache.org> Per conto di Amos Jeffries
Inviato: martedì, 11 agosto 2020 00:47
A: squid-users at lists.squid-cache.org
Oggetto: Re: [squid-users] Basic explanation on configuration

On 10/08/20 8:43 pm, Roberto Nunnari wrote:
> Hello.
> 
>  
> 
> I need to build a new linux server with squid to replace an old one.
> 
> The old server is running squid version 3.3.8 and authenticates 
> against Active Directory. In the conf I see ldap, ntlm, kerberos and 
> negotiator
> + wbinfo.
> 
>  
> 
> The new server is running squid version 4.4.8. I’m trying to keep it 
> simple and keep the conf file clean.
> 
> That’s why for authentication and authorization I try to use only 
> basic_ldap_auth and ext_ldap_group_acl.
> 
>  
> 
> I would like to understand the basics of squid.conf but I find the 
> online documentation is missing the basics.. for instance I believe 
> the acl directive uses logical ‘and’ when using multiple values on the 
> same line, and uses logical ‘or’ when using multiple lines for the 
> same acl name..
> 


Which part of the online documentation are you looking at?

On the official website (<http://www.squid-cache.org/>) menu under "Documentation" we have several sources:

 * Reference guide - for detailed description of a specific directive if you are needing reminder of usage or specific details of its operation.

 * Examples - how-to config snippets for common installation needs.

 * Books for learning Squid; beginners guide, and expert reference.

 * FAQ and Wiki for more up to date alternative to the books.


> 
> That is something it should be written clear in the documentation. 
> Maybe it is somewhere, but I could not find that information.
> 

 <https://wiki.squid-cache.org/SquidFaq/SquidAcl#And.2FOr_logic>


> 
> Same for http_access.. how does it works? What happens when the first 
> match is found? It applies the rule and exits or it goes on to the 
> next lines?
> 

<https://wiki.squid-cache.org/SquidFaq/SquidAcl#Access_Lists>


> 
> What I need to implement is more or less this :
> 
>  

> 5)      Some websites are forbidden for everybody

  acl blacklist dstdomain ...
  http_access deny blacklist


> 
> 1)      Every user needs to provide valid username and password (from AD).
> 

 auth_param ...

 acl login proxy_auth REQUIRED
 http_access deny !login


> 4)      Some websites are accessible without being in group 2) or in
file 3)
>

  acl whitelist dstdomain ...
  http_access allow whitelist


> 2)      Users who belongs to a given AD group, can go on and access 
> the internet
> 

  external_acl_type groups ...

  acl groupCheck external groupName
  http_access allow groupCheck


> > 6)      Some websites are allowed only for users in group 2)

  acl forbidOthers dstdomain ...


> 3)      Other users need to be inside a file. If they are found in 
> that file, they can access the internet
> 

  acl otherUsers proxy_auth parameters("/etc/squid/usernames_allowed")
  http_access allow !forbidOthers otherUsers

  http_accss deny all


Note the order of policy enforcement. Deny as much as possible first, allow later. Faster ACL types first whenever possible.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list