[plug] Transparent proxy ACL with squid

Kai Jones Kaij at kamsc.org.au
Fri May 12 15:16:40 WST 2006


Hi Steve,

Thanks for the info.
I had two things wrong, I wasn't using ""'s around my file pathnames and
I had my config two lines too far down in squid.conf so when they were
being parsed the script was prolly going "wtf ?!", moved them two lines
up and it's all good.

I'll play around with the day/time exceptions later on but now to get
the transparent aspect of it working so when it comes time to integrate
it into the network the users don't notice the difference...except when
they ring up to whinge about not having access to their favourite gossip
page.

Cheers
Kai

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of Steve Baker
Sent: Thursday, 11 May 2006 4:43 PM
To: plug at plug.org.au
Subject: Re: [plug] Transparent proxy ACL with squid



We block access to webmail between 8:30 and 16:30, using the following:

acl worktime time M T W H F 8:30-16:30
acl webmail dstdomain "/etc/squid/webmail.hosts"
...
http_access deny  webmail worktime

To deny access to these hosts all the time, leave out the 'worktime' acl

line and the reference on the http_access line.

The webmail.hosts file contains a list of domains such as...
.gmail.com
.gmail.google.com
.hotmail.com
.hotmail.msn.com
.incredimail.com
.mail2web.com
etc...

I haven't tried any url_regex blocking, but the concept would be the 
same.  I assume you have a 'http_access allow local_lan' or similar line

in there, that would come AFTER the http_access lines that deny access 
to unsavoury sites and before the "deny all" one.  Remember that  as 
soon as a http_access rule is matched, squid stops checking further
rules.

Hopefully this gives you some clues.

Regards,
Steve


Kai Jones wrote:

>Hi everyone,
>
>I've talked the boss into letting me install a Linux boxen among the
>windows servers we have here, proxy/firewall is the first thing so I
can
>get some better security happening on the network.
>
>Right now I'm working on my first bash at configurating a proxy server,
>the server (Compaq Proliant 800) with Fedora Core 5 (2.6.15-1.2054_FC5)
>and Squid 2.5 (squid-2.5.STABLE12-5.1), trying to get the ACL's working
>properley but so far not having much luck. Reading through
>http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.4 is going ok but
>I'm looking for a way I can reference text files in /etc/squid, one
file
>for domain blocking and the other for keyword blocking.
>
>I've set my browser to go through the proxy and that works fine but the
>ACL's aren't working.
>
>So far I have:
>
>acl urlBlock dstdomain urlBlock.txt
>acl keywordBlock url_regex keywordBlock.txt
>http_access deny urlBlock
>http_access deny keywordBlock
>http_access deny all
>
>urlBlock.txt and keywordBlock.txt are stored in /etc/squid as is
>squid.conf
>
>I've also tried
>
>acl ebay dstdomain www.ebay.com.au
>acl ebay2 dstdomain www.ebay.com
>acl ebay1 url_regex ebay
>http_access deny ebay
>http_access deny ebay1
>http_access deny ebay2
>http_access deny all
>
>Any ideas are appreciated
>
>Thanks
>Kai



More information about the plug mailing list