[plug] Transparent proxy ACL with squid
Steve Baker
steve at iinet.net.au
Thu May 11 16:43:21 WST 2006
We block access to webmail between 8:30 and 16:30, using the following:
acl worktime time M T W H F 8:30-16:30
acl webmail dstdomain "/etc/squid/webmail.hosts"
...
http_access deny webmail worktime
To deny access to these hosts all the time, leave out the 'worktime' acl
line and the reference on the http_access line.
The webmail.hosts file contains a list of domains such as...
.gmail.com
.gmail.google.com
.hotmail.com
.hotmail.msn.com
.incredimail.com
.mail2web.com
etc...
I haven't tried any url_regex blocking, but the concept would be the
same. I assume you have a 'http_access allow local_lan' or similar line
in there, that would come AFTER the http_access lines that deny access
to unsavoury sites and before the "deny all" one. Remember that as
soon as a http_access rule is matched, squid stops checking further rules.
Hopefully this gives you some clues.
Regards,
Steve
Kai Jones wrote:
>Hi everyone,
>
>I've talked the boss into letting me install a Linux boxen among the
>windows servers we have here, proxy/firewall is the first thing so I can
>get some better security happening on the network.
>
>Right now I'm working on my first bash at configurating a proxy server,
>the server (Compaq Proliant 800) with Fedora Core 5 (2.6.15-1.2054_FC5)
>and Squid 2.5 (squid-2.5.STABLE12-5.1), trying to get the ACL's working
>properley but so far not having much luck. Reading through
>http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.4 is going ok but
>I'm looking for a way I can reference text files in /etc/squid, one file
>for domain blocking and the other for keyword blocking.
>
>I've set my browser to go through the proxy and that works fine but the
>ACL's aren't working.
>
>So far I have:
>
>acl urlBlock dstdomain urlBlock.txt
>acl keywordBlock url_regex keywordBlock.txt
>http_access deny urlBlock
>http_access deny keywordBlock
>http_access deny all
>
>urlBlock.txt and keywordBlock.txt are stored in /etc/squid as is
>squid.conf
>
>I've also tried
>
>acl ebay dstdomain www.ebay.com.au
>acl ebay2 dstdomain www.ebay.com
>acl ebay1 url_regex ebay
>http_access deny ebay
>http_access deny ebay1
>http_access deny ebay2
>http_access deny all
>
>Any ideas are appreciated
>
>Thanks
>Kai
>_______________________________________________
>PLUG discussion list: plug at plug.org.au
>http://www.plug.org.au/mailman/listinfo/plug
>Committee e-mail: committee at plug.linux.org.au
>
>
>
More information about the plug
mailing list