Re: restrict hosts to particular domains

From: Henrik Nordstrom <[email protected]>
Date: Sat, 27 May 2000 12:54:38 +0200

Have you understood the syntax of http_accept?

It is basically

http_accept accept/deny IF a AND b AND c AND d ...
OR
http_access accept/deny IF e AND f AND g AND g ...

So what your http_accept lines are saying are:

1. Allow ANY authenticated users to reach ANY site
[ends here, as users not able to present a valid authentication will be
asked to authenticate again..]

Lets take a hypothetical example:

a) All your users MUST authenticate
b) Users in subnet A can only go to certain sites
c) Users in other local subnets can go anywhere

acl authenticated proxy_auth REQUIRED
acl restricted-net src 192.168.1.0/24
acl our-net src 192.168.0.0-192.168.12.0/24
acl open-sites dst www.example.com demo.example.com
acl open-stations 192.168.0.4 192.168.0.5 192.168.4.38

# Deny access from users outside our networks
http_access deny !our-net
# Access to the open sites are allowed for anyone. No need
# for authentication to access these.
http_access allow open-sites
# Users in the restricted network are not allowed to access anything
http_access deny restricted-net
# Users on the open stations are allowed to access anything without
authentication
http_access allow open-stations
# Any other users in our network must authenticate themselves
http_access allow authenticated

--
Henrik Nordstrom
Squid hacker
Joel Taqueban wrote:
> 
> Henrik,
> 
> I hope you wouldn't mind if I try to brought this problem again.   It
> still have this problem and I tried a number of times playing with the
> ACLs but still I can't restrict some IPs or hosts from accessing  only a
> particular domain.   What is a better way of doing this really?
> 
> Joel
> 
> Henrik Nordstrom wrote:
> 
> > You allow all ldap users access to everything without restrictions.
> >
> > --
> > Henrik Nordstrom
> > Squid hacker
> >
> > Joel Taqueban wrote:
> > >
> > > Thanks for the reply,
> > >
> > > I've tried making changes to the ACLs.   Here is my complete list:
> > >
> > >      acl all src 0.0.0.0/0
> > >      acl ldap proxy_auth REQUIRED
> > >      acl allowedsites dstdomain dhl.com
> > >      acl allowedhosts src 199.40.218.10-15
> > >      acl allowedtime time S M T W H F A 06:00-21:00
> > >
> > >      http_access allow ldap
> > >      http_access allow allowedhosts allowedsites
> > >      http_access allow allowedtime
> > >      http_access deny all
> > >
> > > did squid -k reconfigure but still those IPs could still access
> > > non-DHL sites
> > > And when I look into the cache.log file I can't see any warnings on
> > > missing ACL declarations after re-reading the Squid conf file.   I
> > > even do a "squid --" and it doesn't return me about missing ACLs.
> > >
> > > Anything or anywhere I need to check please?
> > >
> > > Joel
> > >
> > > Henrik Nordstrom wrote:
> > >
> > >      alowe@hislora.com.au wrote:
> > >      >
> > >      > try this modified stuff:
> > >      >
> > >      > > How do I define on my squid.conf file to restrict
> > >      particular IPs to
> > >      > > access only certain domains?
> > >      > >
> > >      > > I've tried doing the ff:
> > >      > >
> > >      > > acl allowedsites dstdomain dhl.com
> > >      > > acl allowedhost src 199.40.218.10-15/255.255.255.0
> > >      > >
> > >      > ># Remove this line--> http_access allow allowedsites
> > >      > > http_access allow allowedhost allowed_sites
> > >      > > http_access deny all
> > >      >
> > >      > the line marked remove is actually allowing the
> > >      allowedsites to access
> > >      > anything, by just putting the second and third line, you
> > >      allow them to the
> > >      > allowed_sites but nowhere else...
> > >
> > >      Not quite.
> > >
> > >      The first line allows everyone access to the host dhl.com.
> > >
> > >      The second line is bungled in two ways:
> > >      a) There is no allowed_sites ACL defined
> > >      b) The allowedsites ACL is wrongly defined if your intention
> > >      is to only
> > >      match those 6 addresses. The netmask masks out the addresses
> > >      and the ACL
> > >      matches the whole class-C subnet. IP host ranges are better
> > >      written
> > >      without any netmask.
> > >
> > >      However, this does not explain the behaviour you are seeing.
> > >
> > >      Is there any other http_access lines before your "deny all"
> > >      line?
> > >      Is there any warnings about missing ACL declarations in
> > >      cache.log when
> > >      Squid is starting up?
> > >      How is the ACL "all" defined? It SHOULD and MUST be defined
> > >      as
> > >      0.0.0.0/0, nothing else.
> > >
> > >      --
> > >      Henrik Nordstrom
> > >      Squid hacker
Received on Sat May 27 2000 - 06:46:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:34 MST