User Tools

Site Tools


squid:acls:acl_example_usage

Squid - ACLs - ACL Example Usage

Allowed Subnets

Add default 192.168.1.0/24, and any other LAN subnets, such as my IOT subnet of 192.168.70.0/24 and Guest subnet of 172.16.0.0/24.

Add any other IP that is allowed to use the proxy, for example, 100.1.2.3.

The teachers group always have access to the Internet. The students group only has access between Monday and Friday during lunch time:

acl AllowedHosts src 192.168.1.0/24
acl AllowedHosts src 192.168.70/0/24
acl AllowedHosts src 172.16.0.0/24

acl AllowedHosts src 100.1.2.3

acl teachers src 192.168.10.0/255.255.255.0 
acl students src 192.168.20.0-192.168.30.0/255.255.255.0 
acl lunch time MTWHF 12:00-13:00

#[ black-list and white-list rules will go in here in the next step ]

http_access deny localhost
http_access allow teachers
http_access allow students lunch time

http_access allow AllowedHosts
http_access deny all

The AllowedHosts is just a name given to these, but you can call this anything. This name will be referenced later.


Black List Proxy vs Whitelist Proxy

Add additional ACL entries:

Decide which approach you want to follow:

  • A black-listing proxy blocks offensive web sites. See black-list examples.
  • A white-listing proxy only allows approved sites. A white-list has the benefit of blocking virtually everything that is not known to be “good”, but may take longer to configure. See white-list examples.

Blacklist Proxy Example

Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.

#______[ Black List ]_____________________________________________________

acl advdom      dstdomain       "/etc/squid/ad.domains"
acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"
acl adv1exp     url_regex -i    "/etc/squid/ad1.exp"

acl baddom      dstdomain       "/etc/squid/bad.domains"
acl baddom      dstdomain       "/etc/squid/proxy.domains"
acl badexp      url_regex -i    "/etc/squid/bad.exp"

acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
acl offendexp   url_regex -i    "/etc/ffilter/offensive.exp"
acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
acl illegal     dstdomain       "/etc/ffilter/illegal.domains"

# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:

acl children    src             "/etc/ffilter/kids.IPs"
acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH   22:00-23:59
acl curfew time SMTWHF  00:00-7:00

#______[ White List ]_____________________________________________________

acl safedom     dstdomain       "/etc/ffilter/safe.domains"
acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
acl christdom   dstdomain       "/etc/ffilter/christian.domains"
acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
acl schooldom   dstdomain       "/etc/ffilter/school.domains"
acl employdom   dstdomain       "/etc/ffilter/employ.domains"


#______[ Rules ]__________________________________________________________

# 0. 'hardblock' regex and IP matches
#
http_access deny hardblock

# 1. Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom

# Now block the stage zero regex blocks that are to come before safe regex
# holes; this is to allow certain parts of a regex to be blocked while the
# safe.exp match (for example) lets through the rest.  For example, we might
# have a "safe site" that has ads we want to block.
#
http_access deny adv0exp
http_access deny bad0exp
http_access deny offendexp

# Let through safe domains, but not regex
#
http_access allow christdom
http_access allow safedom
http_access allow schooldom
http_access allow employdom

# 3. Block bad domains, but not regex
#       Thus, the domain files should only contain domains which are TOTALLY bad.
#   If a domain is only mostly bad, it should go in the regex file instead so
#   that white-list rules can be applied.
#       Put another way, any domain in a domain blacklist NEVER gets through, even if
#   a white-list contains a regex pattern match.
#
http_access deny baddom
http_access deny violentIPs
http_access deny violentdom
http_access deny drugdomains
http_access deny gambledom
http_access deny deceptive
http_access deny offensive
http_access deny illegal
http_access deny p2p

# Ads and spam are last because I'd first want to tell people if the domain
#   were bad for some other reason, and only as a last resort block it merely
#   because it was spam.
#
http_access deny advdom
http_access deny spamdom

# 4. Let through safe regex
#
http_access allow christexp
http_access allow safeexp

# 5. Block bad regex
#
http_access deny badexp
http_access deny violentexp
http_access deny drugexp
http_access deny gambleexp
http_access deny deceptexp

# Ads and spam expressions are the last to be blocked.
#
http_access deny adv1exp

# 6. Everything else is permitted for those hosts that are allowed.
#  
http_access allow AllowedHosts
http_access deny all

Whitelist Proxy Example

Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.

#______[ Black List ]_____________________________________________________

acl advIPs      dst             "/etc/squid/ad.IPs"
acl advdom      dstdomain       "/etc/squid/ad.domains"
acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"

acl baddom      dstdomain       "/etc/squid/bad.domains"
acl baddom      dstdomain       "/etc/squid/proxy.domains"
acl bad0exp     url_regex -i    "/etc/squid/bad.exp"

acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
acl illegal     dstdomain       "/etc/ffilter/illegal.domains"

# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:

acl children    src             "/etc/ffilter/kids.IPs"
acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH   22:00-23:59
acl curfew time SMTWHF  00:00-7:00

#______[ White List ]_____________________________________________________

acl safedom     dstdomain       "/etc/ffilter/safe.domains"
acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
acl christdom   dstdomain       "/etc/ffilter/christian.domains"
acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
acl schooldom   dstdomain       "/etc/ffilter/school.domains"
acl employdom   dstdomain       "/etc/ffilter/employ.domains"


#______[ Rules ]__________________________________________________________

# 0. 'hardblock' regex and IP matches
#
http_access deny hardblock

# 1. Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom

# Now block the stage zero regex blocks that are to come before safe regex
# holes; this is to allow certain parts of a regex to be blocked while the
# safe.exp match (for example) lets through the rest.  For example, we might
# have a "safe site" that has ads we want to block.
#
http_access deny adv0exp
http_access deny bad0exp

# Let through safe domains, but not expressions yet
#
http_access allow christdom
http_access allow safedom
http_access allow schooldom
http_access allow employdom

# 3. Block bad domains (domains which have no desirable content).
#
http_access deny baddom
http_access deny violentdom
http_access deny drugdomains
http_access deny gambledom
http_access deny deceptive
http_access deny offensive
http_access deny illegal
http_access deny p2p

# Ads and spam are last because I'd first want to tell people if the domain
#   were bad for some other reason, and only as a last resort block it merely
#   because it was spam.
#
http_access deny advdom
http_access deny spamdom

# 4. Let through safe expressions
#
http_access allow christexp
http_access allow safeexp

# 5. Everything else is denied.  Do NOT put the AllowedHosts ACL in here
#    or you will defeat the white-list.
#  
http_access deny all

Children's curfew

Include the following into the same Allowed Subnets box. Place the RULES section at the bottom, but remember that RULES are processed top to bottom order until the first one that matches the criteria is met.

# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:
#
acl children    src             "/etc/ffilter/kids.IPs"
acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH   22:00-23:59
acl curfew time SMTWHF  00:00-7:00


# RULES:
#
# Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom

url_rewrite_program PATH

  • With this option, specify a URL rewriter.
  • Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd, .vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
    url_rewrite_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl

The actual rewriter script that is called would be something like this:

#!/usr/bin/env perl
$|=1;
while (<>) {
  $url = m/^([^ ]*)/;
  if ($url !~ /^http:\/\/www\.hostname\.com/) {
    $url =~ s@^http://www\.hostname\.com/(.*)@http://www.hostname.com/\1@;
    print "301:$url\n";
  } else {
    print "$url\n";
  }
}

If it exists with abnormal program termination and this is in the cache.log:

2012/03/23 19:26:12| helperOpenServers: Starting 5 'c:\squid\php\redirect.pl' processes
2012/03/23 19:26:12| ipcCreate: CHILD: c:\squid\php\redirect.pl: (8) Exec format error
2012/03/23 19:26:12| ipcCreate: PARENT: OK read test failed
2012/03/23 19:26:13| --> read returned 4

Then could be to not place quotes around the path…


auth_param basic program PATH

  • If users must be authenticated on the proxy, set a corresponding program, such as /usr/sbin/pam_auth. When accessing pam_auth for the first time, the user sees a login window in which they need to specify a user name and a password. In addition, you need an ACL, so only clients with a valid login can use the Internet:
    acl password proxy_auth REQUIRED

    http_access allow password
    http_access deny all
  • In the acl proxy_auth option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.

ident_lookup_access allow ACL_NAME

  • With this option, have an ident request run to find each user's identity for all clients defined by an ACL of the type src. Alternatively, use this for all clients, apply the predefined ACL all as the ACL_NAME.
  • All clients covered by ident_lookup_access must run an ident daemon. On Linux, you can use pidentd (package pidentd ) as the ident daemon. For other operating systems, free software is usually available. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL:
    acl identhosts ident REQUIRED

    http_access allow identhosts
    http_access deny all
  • In the acl identhosts ident option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
  • Using ident can slow down access time, because ident lookups are repeated for each request.

References

squid/acls/acl_example_usage.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki