[squid-users] Allow specific set of IP to access a specific set of URL

Arjun K email_arjun at yahoo.com
Mon Mar 8 15:07:43 UTC 2021

 Thanks Amos and Klauss for your response.

    On Wednesday, 24 February, 2021, 05:03:57 pm IST, Amos Jeffries <squid3 at treenet.co.nz> wrote:  
 On 24/02/21 10:14 pm, Klaus Brandl wrote:
> The acl for the url must be of type url_regex, or something else:
> acl allowedurl url_regex "url.txt"

This line tells Squid to load a file full of regex patterns. Nothing more.

The http_access line is the list of rules that determines when those 
loaded values are tested against a URL, and what happens when the URL 
matches (or not) any of the patterns.

> Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K:
>> Hi Team
>> Could you please let me know how to define an acl so that a specific
>> set of IPs can access alone a specific set of URLs.

Have you read the docs on how Squid does access control?

The example config you showed indicates a lack of understanding the 
syntax. That understanding is key to these things actually working the 
way you want.

Lets look at your stated requirements:

 >  define an acl

acl okay_urls url_regex "/etc/squid/url.txt"

 > a specific set of IPs can access alone a specific set of URLs.

That sentence is an access policy. It has three parts:

  1) "set of IPs"

  I have assumed from the "can access" words that you mean client IPs. 
Which in networking are the TCP src-IP value.

So ...

    acl set_of_IPs src

  2) "set of URLs"

So ...

    acl set_of_urls url_regex "/etc/squid/url.txt"

  3) "can access alone"

I assume that means you want these IPs to access the URLs. But no others 
to be able to access those same URLs.

So ...
  # permit set_of_ips
  http_access allow set_of_ips set_of_urls
  http_access deny set_of_urls

 > Also, I have an existing configuration which should not get affected
 > and it should not interfere in the rules which were allowed for the
 > servers previously.

The most important word there is "previously".

This is where *you* understanding how Squid access controls fit together 
matters *a lot*.

The first http_access line that matches entirely will _end_ processing 
of the 'http_access' sequence. The action (allow/deny) specified on that 
matched line will be done.

So where you place the above http_access lines determine which 
transactions will be able to reach and be tested by them.

squid-users mailing list
squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210308/fe6dc452/attachment.htm>

More information about the squid-users mailing list