Re: [SQU] DOUBT - NEEDED HELP URGENTLY

From: Jamie Shields <[email protected]>
Date: Mon, 21 Aug 2000 10:31:51 +0100

> I need to disable internet
> access via squid for the following nodes
>
> 192.168.1.16
> 192.168.1.90
> 192.168.1.91
> 192.168.1.200

Hi,

OK. This is with reference to Henrik's message from last week (a
better way to do acls).

# Add an ACL to your squid.conf file like so (all on one line):

acl DENIED_HOSTS src 192.168.1.16 192.168.1.90 192.168.1.91
192.168.1.200

# The following directive tells squid what to do with that acl (i.e. deny
# all access to anything on the web that goes through the proxy:

http_access deny DENIED_HOSTS

These two lines should be all you need in the squid.conf.

To address Andrew's point: Now you've got to make sure that:

a) your users go through the proxy in the first place, and

b) there is some sort of way to tell your browsers not to use the
squid for local intranet access (I assume they're allowed that) by
using a proxy configuration file.

This is usually kept on a web server and downloaded by the browser
on startup. This assumes that you are *not* using transparent
proxying; if you are, you can probably ignore the rest of this
message.

This is a example of a browser proxy configuration file that would do
this (don't put this is squid.conf):

-- EXAMPLE FILE STARTS --

function FindProxyForURL(url, host) {
    host = host.toLowerCase();

    // -- If the site is obviously local don't use the cache. --
    if (isPlainHostName(host))
       return "DIRECT";

    // -- same for yourdomain.com, localhost and SSL --
    if (
        dnsDomainIs(host,".yourdomain.com") ||
        dnsDomainIs(host,"localhost") ||
        url.substring(0, 6) == "https:")
            return "DIRECT";

     // -- We'll only cache/proxy http --
     if (
        url.substring(0, 5) == "http:" ||
      return "PROXY webcache.yourdomain.com.:3128";

     // -- Now the acl in the squid.conf takes care of the rest --

     // -- everything else... --
     else
       return "DIRECT";
 }

-- FILE ENDS --

This will ensure that the browsers will not go the cache, and hence
be denied access to web servers local to your domain.

If you need more information on proxy configuration files, I suggest
you check out the information on netscape's site, at:

http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-
live.html

Note that this is by no means foolproof as your users can turn off
the proxy configuration file (unless you've locked down your
browsers as well).

Basically though, this sounds like a job for a firewall/transparent
proxy setup and I'm no expert on that...

Cheers, hope this helps.

------------------------------
Jamie Shields
Deputy Computing Officer
Computer Resources Centre
Faculty of Human Sciences
Kingston University
Phone: (0181) 547-2000 ex:2367
http://humansciences.king.ac.uk
------------------------------

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Mon Aug 21 2000 - 03:49:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:54:56 MST