[sclug] URL filtering by group of IP Address

Navneet Choudhary navneetkc at gmail.com
Wed Jun 1 07:30:09 UTC 2005


Hi folks,

I am using Squid version 2.5.STABLE4-20040212 on redhat linux 9.

My current ACL rules are at the end of this mail (with line numbers):

What I am trying?

I am trying to block access to some sites (i.e. porn, jobs etc) by IP
Address group.

For url filtering i am using regular expression matching acl.

eg. acl porn url_regex -i "/usr/local/squidGuard/porn"  [Line no. 9]

Here /usr/local/squidGuard/porn file contains single line key worlds.

At line no 34 http_access is being denied for any urls listed in porn
file (ex. jobs, sex etc)

http_access allow porn

Now, here is an acl for my entire network [LAN]
acl NetUser src 192.168.0.0/16           [Line No 41]

#Allowing Web browsing from my local LAN IP's only
http_access allow NetUser                [Line No 57]


As per above ACL's all my LAN user can browse Internet via Squid 
& get blocked when tries to access restricted sites (site listed in porn file). 
 
Everything is working fine and as per my requirement.

But, now if i want to form a group of users (by IP Address) by their
access rights
i.e. power user have no restriction at all (URL should be blocked by
porn ACL ?),
Normal users have full restriction (which can time be bound also).

I have tried to give some user un-restricted privilege fro web
browsing (URL shouldn't be blocked by porn ACL.

53 #Un-RE-RESTRICTED INTERNET USERS
54 #acl PWR-NET src 192.168.0.197 192.168.0.54
55 #http_access allow PWR-NET porn


Therefore, please suggest how to create acl's for this type of requirement i.e.
Some other users can access all site without restriction
others can't access restricted sites.

In other word how could i restrict some range of IP's from LAN to not
able to access web
e.g. IP Address from 192.168.0.1 to 192.168.0.100 can access Web
Rest can't able to access web.

After range blocking, url blocking, authentication and other acl
should come under picture after that.


Thanks for your help.

Regards,
navneet

Note: if i missed something or you want any more information please
revert back asap.


1 auth_param basic program /usr/local/squid/libexec/ncsa_auth
/usr/local/squid/etc/password
      2
      3 auth_param basic realm Squid proxy-caching web server
      4 auth_param basic credentialsttl 2 hoursnimum configuration:
      5
      6
      7
      8 #Recommended minimum configuration:
      9 acl porn url_regex -i "/usr/local/squidGuard/porn"
     10 acl all src 0.0.0.0/0.0.0.0
     11 acl manager proto cache_object
     12 acl localhost src 127.0.0.1/255.255.255.255
     13 acl to_localhost dst 127.0.0.0/8
     14 acl SSL_ports port 443 563
     15 acl Safe_ports port 80          # http
     16 acl Safe_ports port 21          # ftp
     17 acl Safe_ports port 443 563     # https, snews
     18 acl Safe_ports port 70          # gopher
     19 acl Safe_ports port 210         # wais
     20 acl Safe_ports port 1025-65535  # unregistered ports
     21 acl Safe_ports port 280         # http-mgmt
     22 acl Safe_ports port 488         # gss-http
     23 acl Safe_ports port 591         # filemaker
     24 acl Safe_ports port 777         # multiling http
     25 acl CONNECT method CONNECT
     26
     27 #AUTHENTION REQUIRED
     28 acl auth proxy_auth REQUIRED
     29
     30
     31 # Only allow cachemgr access from localhost
     32 http_access allow manager localhost
     33 http_access deny manager
     34 http_access deny porn
     35 # Deny requests to unknown ports
     36 http_access deny !Safe_ports
     37 # Deny CONNECT to other than SSL ports
     38 http_access deny CONNECT !SSL_ports
     39
     40
     41 acl NetUser src 192.168.0.0/16
     42 #acl sucker src 192.168.0.139 192.168.0.161 192.168.0.153
     43 acl test src 192.168.0.151   192.168.0.139 192.168.0.161 192.168.0.153
     44 acl data src 192.168.0.242
     45
     46 #denying access by IP Address:
     47 http_access deny test
     48
     49 #Authenticating user by IP Address
     50 http_access allow data auth
     51
     52
     53 #Un-RE-RESTRICTED INTERNET USERS
     54 #acl PWR-NET src 192.168.0.197 192.168.0.54
     55 #http_access allow PWR-NET porn
     56
     57 http_access allow NetUser
     58
     59 # And finally deny all other access to this proxy
     60 http_access deny all
     61
     62 http_reply_access allow all



More information about the Sclug mailing list