[squid-users] ACL and http_access

Magic Link magiclink at outlook.com
Fri Nov 13 07:31:40 UTC 2015


What i want if it's possible is :
Users can't access Internet, except during two periods each day i 'll define. During these two periods, they can access only a few sites i define in the file (basic url http or https per line)I have to know if it's possible with Squid ? or Squidguard ? Or not at all ?
Thank you !

> From: Antony.Stone at squid.open.source.it
> To: squid-users at lists.squid-cache.org
> Date: Thu, 12 Nov 2015 17:04:06 +0100
> Subject: Re: [squid-users] ACL and http_access
> 
> On Thursday 12 November 2015 at 15:55:10, Magic Link wrote:
> 
> > Hi,
> > I want people don't have access to Internet, except one hour twice a day
> > with only some urls.listed in a file.I use the ACL type "time" and
> > "url_regex" but it doesn't work.
> 
> Please elaborate on "it doesn't work".
> 
> Do you mean people cannot access the Internet when they are supposed to be 
> able to?
> 
> Do you mean they can access the Internet when they are not supposed to be able 
> to?
> 
> Do you mean that can access sites which they are not supposed to access?
> 
> What, specifically, does and does not work?
> 
> > I think i don't do well with the order of http_access too.  Is it possible
> > with squid only to do what i want ? Here is my squid.conf :
> 
> > acl network src 10.2.0.0/16
> > acl working_hours time MTWHF 09:30-10:30
> > acl out_working_hours MTWHF 17:30-18:30
> > acl whitelist url_regex "/etc/squid3/allow.acl"
> 
> We need to see the contents (or at least, some examples) from that file.
> 
> > acl SSL_ports port 443
> > acl Safe_ports port 80		# http
> > acl Safe_ports port 21		# ftp
> > acl Safe_ports port 443		# https
> > acl Safe_ports port 70		# gopher
> > acl Safe_ports port 210		# wais
> > acl Safe_ports port 1025-65535	# unregistered ports
> > acl Safe_ports port 280		# http-mgmt
> > acl Safe_ports port 488		# gss-http
> > acl Safe_ports port 591		# filemaker
> > acl Safe_ports port 777		# multiling http
> > acl CONNECT method CONNECT
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost manager
> > http_access deny manager
> 
> > http_access allow localhost
> > http_access deny out_working_hours
> > http_access allow working_hours whitelist
> > http_access allow network
> > http_access deny all
> 
> So the above 5 directives will:
> 
> 1. Allow access from the local machine (good).
> 
> 2. Deny access from anywhere between M-F 17:30-18:30 - is that really what you 
> meant?  You said you want to allow access for one hour twice a day, yet here 
> you are denying access during a one hour timeslot.
> 
> 3. Allow access from anywhere M-F 09:30-10:30 to sites matching your regex 
> list.
> 
> 4. Allow access from any address 10.2.0.0/16 - this looks bad
> 
> 5. Deny anything else.
> 
> > http_port 3128
> > coredump_dir /var/spool/squid3
> > refresh_pattern ^ftp:		1440	20%	10080
> > refresh_pattern ^gopher:	1440	0%	1440
> > refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
> > refresh_pattern .		0	20%	4320
> > debug_options 28,4
> 
> I would suggest (assuming your regex list is good) trying:
> 
> http_access allow localhost
> http_access allow network working_hours whitelist
> http_access allow network out_working_hours whitelist
> http_access deny all
> 
> The above should allow access from 10.2.0.0/16 to the sites in your regex list 
> between the hours 09:30-10:30 and 17:30-18:30 M-F
> 
> If that isn't what you wanted, please specify the requirement and we'll see if 
> we can help further.
> 
> 
> 
> Antony.
> 
> -- 
> +++ Divide By Cucumber Error.  Please Reinstall Universe And Reboot +++
> 
>                                                    Please reply to the list;
>                                                          please *don't* CC me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151113/f3f49023/attachment-0001.html>


More information about the squid-users mailing list