[squid-users] restriction of sites to a subnet

jake driscoll jakedriscollin2015 at gmail.com
Wed Sep 2 19:48:00 UTC 2015


Thanks a lot for the reply Amos.
I tried the following:

acl station-ip src 192.168.1.0/24
acl station-domain dstdomain /usr/local/squid/station-domain.acl
http_access allow  station-ip station-domain
http_access deny kiosk-ip

This order of rules only denies everything instead of allowing atleast
domains in station-domain.acl

My requirement is that everyone in that subnet should be able to access
domains in station-domain.acl only. Sites outside the list have to be
blocked for them.




On Tue, Sep 1, 2015 at 10:17 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 2/09/2015 1:28 a.m., jake driscoll wrote:
> > here is my requirement:
> >
> >> i have a subnet
> >> only a small list of sites need to be allowed access to this subnet
> >> this subnet should not get access to any other site except the ones in
> the
> > list
> >> access for other users will remain the same
> >
> > I tried the following
> >
> > acl station-ip src 192.168.1.0/24
> > acl station-domain dstdomain www.google.com www.bbc.com
> > http_access deny station-ip !station-domain
>
>
> That is correct for "subnet should not get access to any other site
> except the ones in the list".
>
>
> But you had more requirements in your description ...
>
>
>  ... "sites need to be allowed access to this subnet"
>
> Meaning you need an allow line somewhere that does that allowing.
> Such a line might exist in your config already in another form.
>
> At worst adding this line directly underneath the ones above will cause
> that policy requirement to happen as well:
>
>    http_access allow station-ip
>
>
>  ... "access for other users will remain the same"
>
> Without seeing your full squid.conf http_access rules and all associated
> ACL definitions we can't help with that "the same" part. Except to say:
>
>    Order is IMPORTANT.
>
> Where you place a http_access line in the sequence with *all* other
> http_access rules matters a LOT about whether it is even tested, whether
> it will match at that time, and what will happen.
>
> I *guess* you need to place these four new lines near the top of your
> list of http_access list right under the default configs "CONNECT
> !SSL_ports" line.
>
>
> >
> > and also this -
> > http_access deny station-ip
> > http_access allow station-ip station-domain
> >
>
> Good example of what I mean about order affecting matching.
>
> 100% of all traffic from station-ip will match that "deny" line.
>
> The "allow" line will only be reached by non-'station-ip' traffic. It
> will thus _never_ match, and does nothing.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150903/2f7e8222/attachment-0001.html>


More information about the squid-users mailing list