[squid-users] Allow specific set of IP to access a specific set of URL
Amos Jeffries
squid3 at treenet.co.nz
Wed Feb 24 11:29:37 UTC 2021
On 24/02/21 10:14 pm, Klaus Brandl wrote:
> The acl for the url must be of type url_regex, or something else:
>
> acl allowedurl url_regex "url.txt"
>
This line tells Squid to load a file full of regex patterns. Nothing more.
The http_access line is the list of rules that determines when those
loaded values are tested against a URL, and what happens when the URL
matches (or not) any of the patterns.
>
> Am Dienstag, den 23.02.2021, 18:09 +0000 schrieb Arjun K:
>> Hi Team
>>
>> Could you please let me know how to define an acl so that a specific
>> set of IPs can access alone a specific set of URLs.
Have you read the docs on how Squid does access control?
<https://wiki.squid-cache.org/SquidFaq/SquidAcl#The_Basics:_How_the_parts_fit_together>
The example config you showed indicates a lack of understanding the
syntax. That understanding is key to these things actually working the
way you want.
Lets look at your stated requirements:
> define an acl
acl okay_urls url_regex "/etc/squid/url.txt"
> a specific set of IPs can access alone a specific set of URLs.
That sentence is an access policy. It has three parts:
1) "set of IPs"
I have assumed from the "can access" words that you mean client IPs.
Which in networking are the TCP src-IP value.
So ...
acl set_of_IPs src 192.0.2.1 192.0.2.45 192.0.2.156
2) "set of URLs"
So ...
acl set_of_urls url_regex "/etc/squid/url.txt"
3) "can access alone"
I assume that means you want these IPs to access the URLs. But no others
to be able to access those same URLs.
So ...
# permit set_of_ips
http_access allow set_of_ips set_of_urls
http_access deny set_of_urls
> Also, I have an existing configuration which should not get affected
> and it should not interfere in the rules which were allowed for the
> servers previously.
The most important word there is "previously".
This is where *you* understanding how Squid access controls fit together
matters *a lot*.
The first http_access line that matches entirely will _end_ processing
of the 'http_access' sequence. The action (allow/deny) specified on that
matched line will be done.
So where you place the above http_access lines determine which
transactions will be able to reach and be tested by them.
Amos
More information about the squid-users
mailing list