[sclug] URL filtering by group of IP Address
Navneet Choudhary
navneetkc at gmail.com
Wed Jun 1 07:30:09 UTC 2005
Hi folks,
I am using Squid version 2.5.STABLE4-20040212 on redhat linux 9.
My current ACL rules are at the end of this mail (with line numbers):
What I am trying?
I am trying to block access to some sites (i.e. porn, jobs etc) by IP
Address group.
For url filtering i am using regular expression matching acl.
eg. acl porn url_regex -i "/usr/local/squidGuard/porn" [Line no. 9]
Here /usr/local/squidGuard/porn file contains single line key worlds.
At line no 34 http_access is being denied for any urls listed in porn
file (ex. jobs, sex etc)
http_access allow porn
Now, here is an acl for my entire network [LAN]
acl NetUser src 192.168.0.0/16 [Line No 41]
#Allowing Web browsing from my local LAN IP's only
http_access allow NetUser [Line No 57]
As per above ACL's all my LAN user can browse Internet via Squid
& get blocked when tries to access restricted sites (site listed in porn file).
Everything is working fine and as per my requirement.
But, now if i want to form a group of users (by IP Address) by their
access rights
i.e. power user have no restriction at all (URL should be blocked by
porn ACL ?),
Normal users have full restriction (which can time be bound also).
I have tried to give some user un-restricted privilege fro web
browsing (URL shouldn't be blocked by porn ACL.
53 #Un-RE-RESTRICTED INTERNET USERS
54 #acl PWR-NET src 192.168.0.197 192.168.0.54
55 #http_access allow PWR-NET porn
Therefore, please suggest how to create acl's for this type of requirement i.e.
Some other users can access all site without restriction
others can't access restricted sites.
In other word how could i restrict some range of IP's from LAN to not
able to access web
e.g. IP Address from 192.168.0.1 to 192.168.0.100 can access Web
Rest can't able to access web.
After range blocking, url blocking, authentication and other acl
should come under picture after that.
Thanks for your help.
Regards,
navneet
Note: if i missed something or you want any more information please
revert back asap.
1 auth_param basic program /usr/local/squid/libexec/ncsa_auth
/usr/local/squid/etc/password
2
3 auth_param basic realm Squid proxy-caching web server
4 auth_param basic credentialsttl 2 hoursnimum configuration:
5
6
7
8 #Recommended minimum configuration:
9 acl porn url_regex -i "/usr/local/squidGuard/porn"
10 acl all src 0.0.0.0/0.0.0.0
11 acl manager proto cache_object
12 acl localhost src 127.0.0.1/255.255.255.255
13 acl to_localhost dst 127.0.0.0/8
14 acl SSL_ports port 443 563
15 acl Safe_ports port 80 # http
16 acl Safe_ports port 21 # ftp
17 acl Safe_ports port 443 563 # https, snews
18 acl Safe_ports port 70 # gopher
19 acl Safe_ports port 210 # wais
20 acl Safe_ports port 1025-65535 # unregistered ports
21 acl Safe_ports port 280 # http-mgmt
22 acl Safe_ports port 488 # gss-http
23 acl Safe_ports port 591 # filemaker
24 acl Safe_ports port 777 # multiling http
25 acl CONNECT method CONNECT
26
27 #AUTHENTION REQUIRED
28 acl auth proxy_auth REQUIRED
29
30
31 # Only allow cachemgr access from localhost
32 http_access allow manager localhost
33 http_access deny manager
34 http_access deny porn
35 # Deny requests to unknown ports
36 http_access deny !Safe_ports
37 # Deny CONNECT to other than SSL ports
38 http_access deny CONNECT !SSL_ports
39
40
41 acl NetUser src 192.168.0.0/16
42 #acl sucker src 192.168.0.139 192.168.0.161 192.168.0.153
43 acl test src 192.168.0.151 192.168.0.139 192.168.0.161 192.168.0.153
44 acl data src 192.168.0.242
45
46 #denying access by IP Address:
47 http_access deny test
48
49 #Authenticating user by IP Address
50 http_access allow data auth
51
52
53 #Un-RE-RESTRICTED INTERNET USERS
54 #acl PWR-NET src 192.168.0.197 192.168.0.54
55 #http_access allow PWR-NET porn
56
57 http_access allow NetUser
58
59 # And finally deny all other access to this proxy
60 http_access deny all
61
62 http_reply_access allow all
More information about the Sclug
mailing list