[sclug] URL filtering by group of IP Address
Navneet Choudhary
navneetkc at gmail.com
Wed Jun 1 10:10:37 UTC 2005
On 6/1/05, Bob Franklin <r.c.franklin at reading.ac.uk> wrote:
> Hello,
>
> I wouldn't post something like that to so many lists in the same email.
> You've probably already had a reply from the Squid list - however, if not,
Well, thanks for being true to your heart.
Still waiting for squid list to reply.
Note: I don't post mail to numerous lists in the same mail. This
happened intensely; since I could not able to figure out how implement
acls as per my requirement. Neither did my search yield results nor
mailing list replied with any workable solution.
> here's some help...
>
> The http_access lines are processed in order (from top to bottom):
yes, i know this. but, having problems with my acls placements
> http_access <action> <clause1> [<clause2> ...]
>
> When a line is found where all the clauses match (e.g. the client IP
> address part matches, the requested URI matches, etc.), the action is
> taken and the list is stopped; the order is important.
>
> You probably want:
>
> http_access allow PWR-NET # first allow all power users
> http_access deny porn NetUser # now block porn to other users
> http_access allow NetUser # ... allow them to other sites
> http_access deny all # but block anyone else on the internet
you are accurate about your suggestion!.
But, i think you have missed/forgotten that porn[Line no 34] is denied
beforehand of above http_access rules.
Thatswhy,when i tried above acl & re-started squid.Squid still blocked
every IP Addressess (including PWR-NET IP)?.
So, after numerous attempt to place "http_access deny porn"
Here is the working rules:
1 acl porn url_regex -i "/usr/local/squidGuard/porn"
2 acl all src 0.0.0.0/0.0.0.0
3 acl manager proto cache_object
4 acl localhost src 127.0.0.1/255.255.255.255
5 acl to_localhost dst 127.0.0.0/8
6 acl SSL_ports port 443 563
7 acl Safe_ports port 80 # http
8 acl Safe_ports port 21 # ftp
9 acl Safe_ports port 443 563 # https, snews
10 acl Safe_ports port 70 # gopher
11 acl Safe_ports port 210 # wais
12 acl Safe_ports port 1025-65535 # unregistered ports
13 acl Safe_ports port 280 # http-mgmt
14 acl Safe_ports port 488 # gss-http
15 acl Safe_ports port 591 # filemaker
16 acl Safe_ports port 777 # multiling http
17 acl CONNECT method CONNECT
18
19 #AUTHENTION REQUIRED
20 acl auth proxy_auth REQUIRED
21
22 http_access allow manager localhost
23 http_access deny manager
24 # Deny requests to unknown ports
25 http_access deny !Safe_ports
26 # Deny CONNECT to other than SSL ports
27 http_access deny CONNECT !SSL_ports
28
29 # one who can access services on "localhost" is a local user
30 http_access deny to_localhost
31
32
33 acl NetUser src 192.168.0.0/16
34 #acl sucker src 192.168.0.139 192.168.0.161 192.168.0.153
35 acl test src 192.168.0.151 192.168.0.139 192.168.0.161 192.168.0.153
36 acl data src 192.168.0.242
37 #acl 5CONN maxconn 3
38
39 #Un-RE-RESTRICTED INTERNET USERS
40 acl PWR-NET src 192.168.0.197 192.168.0.54
41
42
43 http_access deny test
44 http_access allow data auth
45
46
47
48 http_access allow PWR-NET
49
50 http_access deny porn
51 http_access deny porn NetUser
52
53 http_access deny all
Still, i have lots to learn from you all.Thanks for being there when i
really wanted some one to help me out.
Well, thanks you all (who knowingly or unknowligly helped me.Since, my
stupid mail have cluttered their inbox.But, they didn't flamed me).
Regards,
navneet
> You don't need to explicitly state that PWR-NET users are allowed to porn
> because the first line will match them (and allow access); since it
> doesn't state anything about requested URI, so that doesn't matter -
> everything is allowed.
> - Bob
>
>
> --
> Bob Franklin <r.c.franklin at reading.ac.uk> +44 (0)118 378 7147
> Systems and Communications, IT Services, The University of Reading, UK
>
More information about the Sclug
mailing list