Differences

This shows you the differences between two versions of the page.

--- pfsense:squid:acls_access_control_lists [2020/03/30 16:04] – peter
+++ pfsense:squid:acls_access_control_lists [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== PFSense - Squid - ACLs (Access Control Lists) ======
-Define who can and who cannot access the proxy.
+See [[Squid:ACLs|Squid ACLs]]
-Access Control Lists (ACL) are lists with rules that are processed sequentially.
-ACLs must be defined before they can be used.
-Some default ACLs, such as **all** and **localhost**, already exist.
-However, the mere definition of an ACL does not mean that it is actually applied.
-This only happens when there is a corresponding **http_access** rule.
-<WRAP important>
-**WARNING:**
-Who can use your proxy server?
-Everyone on your LAN?
-Everyone on the Internet?
-No, you don't want everyone on the Internet to use it.
-Many people have scanners running that will find an open proxy in a hurry, publish it on a list, and before you know it your bandwidth will be soaked up by a thirsty sponge of users intent on questionable or illegal uses.
-So the first thing you do is define the permitted users by setting ACLs (access control lists).
-</WRAP>
 ----
-===== ACL Syntax =====
+todo
-The syntax for ACL is:
 <code>
-acl ACL_NAME TYPE DATA
+acl manager proto cache_object
-</code>
+acl localhost src 127.0.0.1/32 ::1
+acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
+acl local_respmod src 127.0.0.1/32 type respmod
-  * **ACL_NAME**:  Can be chosen arbitrarily.
+# ACL Local Network
-  * **TYPE**:  Select from a variety of different options which can be found in the ACCESS CONTROLS section in the /etc/squid/squid.conf file.
+#acl localnet src 192.168.1.0/24 # localnet
-  * **DATA**:  Depends on the individual ACL type and can also be read from a file.  For example, “via” host names, IP addresses, or URLs.
-==== http_access allow ACL_NAME ====
-  *  **http_access** defines who is allowed to use the proxy and who can access what on the Internet.
+# Example rule allowing access from your local networks.
-    * This ACL must be defined.
+# Adapt to list your (internal) IP networks from where browsing
-    * **localhost** and **all** have already been defined above for which you can deny or allow access via deny or allow.
+# should be allowed
-    * A list containing any number of http_access entries can be created, processed from top to bottom.  Depending on which occurs first, access is allowed or denied to the respective URL.  The last entry should always be **http_access deny all**.  In the following example, localhost has free access to everything while all other hosts are denied access completely:
+acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
-  <code>
+acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
-    http_access allow localhost
+acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
-    http_access deny all
+acl localnet src fc00::/7 # RFC 4193 local private network range
-</code>
+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
-  * In another example using these rules, the group teachers always has access to the Internet. The group students only has access between Monday and Friday during lunch time:
+# Only allow cachemgr access from localhost
-  <code>
+#http_access allow manager localhost
-    http_access deny localhost
+#http_access deny manager
-    http_access allow teachers
-    http_access allow students lunch time
-    http_access deny all
-</code>
-  * For readability, within the configuration file /etc/squid/squid.conf, specify all http_access options as a block.
+http_access allow localhost manager
+http_access deny manager
-==== url_rewrite_program PATH ====
+http_access allow localnet
+http_access allow localhost
-  * With this option, specify a URL rewriter.
-==== auth_param basic program PATH ====
-    If users must be authenticated on the proxy, set a corresponding program, such as /usr/sbin/pam_auth. When accessing pam_auth for the first time, the user sees a login window in which they need to specify a user name and a password. In addition, you need an ACL, so only clients with a valid login can use the Internet:
-  <code>
-    acl password proxy_auth REQUIRED
-    http_access allow password
-    http_access deny all
-</code>
-  * In the acl proxy_auth option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
-==== ident_lookup_access allow ACL_NAME ====
-  * With this option, have an ident request run to find each user's identity for all clients defined by an ACL of the type src. Alternatively, use this for all clients, apply the predefined ACL all as the ACL_NAME.
-  * All clients covered by ident_lookup_access must run an ident daemon. On Linux, you can use pidentd (package pidentd ) as the ident daemon. For other operating systems, free software is usually available. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL:
-  <code>
-    acl identhosts ident REQUIRED
-    http_access allow identhosts
-    http_access deny all
-</code>
-  *  In the acl identhosts ident option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
-  *  Using ident can slow down access time, because ident lookups are repeated for each request.
-----
-===== Allowed Subnets =====
-Add default **192.168.1.0/24**, and any other LAN subnets, such as my IOT subnet of **192.168.70.0/24** and Guest subnet of **172.16.0.0/24**.
-Add any other IP that is allowed to use the proxy, for example, **100.1.2.3**.
-The teachers group always have access to the Internet. The students group only has access between Monday and Friday during lunch time:
-<code>
-acl AllowedHosts src 192.168.1.0/24
-acl AllowedHosts src 192.168.70/0/24
-acl AllowedHosts src 172.16.0.0/24
-acl AllowedHosts src 100.1.2.3
-acl teachers src 192.168.10.0/255.255.255.0
-acl students src 192.168.20.0-192.168.30.0/255.255.255.0
-acl lunch time MTWHF 12:00-13:00
-#[ black-list and white-list rules will go in here in the next step ]
-http_access deny localhost
-http_access allow teachers
-http_access allow students lunch time
-http_access allow AllowedHosts
 http_access deny all
-</code>
-The **AllowedHosts** is just a name given to these, but you can call this anything.  This name will be referenced later.
+icap_access allow local_respmod
+icap_access allow localnet
+icap_access deny  all
-----
-===== Black List Proxy vs Whitelist Proxy =====
-Add additional ACL entries:
-Decide which approach you want to follow:
-  * A **black-listing proxy** blocks offensive web sites.  See black-list examples.
-  * A **white-listing proxy** only allows approved sites.  A white-list has the benefit of blocking virtually everything that is not known to be “good”, but may take longer to configure.  See white-list examples.
-==== Blacklist Proxy Example ====
-Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
-<code>
-#______[ Black List ]_____________________________________________________
-acl advdom      dstdomain       "/etc/squid/ad.domains"
-acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"
-acl adv1exp     url_regex -i    "/etc/squid/ad1.exp"
-acl baddom      dstdomain       "/etc/squid/bad.domains"
-acl baddom      dstdomain       "/etc/squid/proxy.domains"
-acl badexp      url_regex -i    "/etc/squid/bad.exp"
-acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
-acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
-acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
-acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
-acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
-acl offendexp   url_regex -i    "/etc/ffilter/offensive.exp"
-acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
-acl illegal     dstdomain       "/etc/ffilter/illegal.domains"
-# If you have children who have their own computers and for whom
-# you want extra protection, then try this idea:
-acl children    src             "/etc/ffilter/kids.IPs"
-acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
-#
-# On week-days the kids need to stop using the Internet at 10pm,
-# but on Friday and Saturday we let them go until midnight:
-#
-acl curfew time SMTWH   22:00-23:59
-acl curfew time SMTWHF  00:00-7:00
-#______[ White List ]_____________________________________________________
-acl safedom     dstdomain       "/etc/ffilter/safe.domains"
-acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
-acl christdom   dstdomain       "/etc/ffilter/christian.domains"
-acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
-acl schooldom   dstdomain       "/etc/ffilter/school.domains"
-acl employdom   dstdomain       "/etc/ffilter/employ.domains"
-#______[ Rules ]__________________________________________________________
-# 0. 'hardblock' regex and IP matches
-#
-http_access deny hardblock
-# 1. Children's curfew
-#
-http_access allow curfewOK
-http_access deny children curfew
-#http_access deny children gamedom
-# Now block the stage zero regex blocks that are to come before safe regex
-# holes; this is to allow certain parts of a regex to be blocked while the
-# safe.exp match (for example) lets through the rest.  For example, we might
-# have a "safe site" that has ads we want to block.
-#
-http_access deny adv0exp
-http_access deny bad0exp
-http_access deny offendexp
-# Let through safe domains, but not regex
-#
-http_access allow christdom
-http_access allow safedom
-http_access allow schooldom
-http_access allow employdom
-# 3. Block bad domains, but not regex
-#       Thus, the domain files should only contain domains which are TOTALLY bad.
-#   If a domain is only mostly bad, it should go in the regex file instead so
-#   that white-list rules can be applied.
-#       Put another way, any domain in a domain blacklist NEVER gets through, even if
-#   a white-list contains a regex pattern match.
-#
-http_access deny baddom
-http_access deny violentIPs
-http_access deny violentdom
-http_access deny drugdomains
-http_access deny gambledom
-http_access deny deceptive
-http_access deny offensive
-http_access deny illegal
-http_access deny p2p
-# Ads and spam are last because I'd first want to tell people if the domain
-#   were bad for some other reason, and only as a last resort block it merely
-#   because it was spam.
-#
-http_access deny advdom
-http_access deny spamdom
-# 4. Let through safe regex
-#
-http_access allow christexp
-http_access allow safeexp
-# 5. Block bad regex
-#
-http_access deny badexp
-http_access deny violentexp
-http_access deny drugexp
-http_access deny gambleexp
-http_access deny deceptexp
-# Ads and spam expressions are the last to be blocked.
-#
-http_access deny adv1exp
-# 6. Everything else is permitted for those hosts that are allowed.
-#
-http_access allow AllowedHosts
-http_access deny all
 </code>
-----
-==== Whitelist Proxy Example ====
-Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
-<code>
-#______[ Black List ]_____________________________________________________
-acl advIPs      dst             "/etc/squid/ad.IPs"
-acl advdom      dstdomain       "/etc/squid/ad.domains"
-acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"
-acl baddom      dstdomain       "/etc/squid/bad.domains"
-acl baddom      dstdomain       "/etc/squid/proxy.domains"
-acl bad0exp     url_regex -i    "/etc/squid/bad.exp"
-acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
-acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
-acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
-acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
-acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
-acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
-acl illegal     dstdomain       "/etc/ffilter/illegal.domains"
-# If you have children who have their own computers and for whom
-# you want extra protection, then try this idea:
-acl children    src             "/etc/ffilter/kids.IPs"
-acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
-#
-# On week-days the kids need to stop using the Internet at 10pm,
-# but on Friday and Saturday we let them go until midnight:
-#
-acl curfew time SMTWH   22:00-23:59
-acl curfew time SMTWHF  00:00-7:00
-#______[ White List ]_____________________________________________________
-acl safedom     dstdomain       "/etc/ffilter/safe.domains"
-acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
-acl christdom   dstdomain       "/etc/ffilter/christian.domains"
-acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
-acl schooldom   dstdomain       "/etc/ffilter/school.domains"
-acl employdom   dstdomain       "/etc/ffilter/employ.domains"
-#______[ Rules ]__________________________________________________________
-# 0. 'hardblock' regex and IP matches
-#
-http_access deny hardblock
-# 1. Children's curfew
-#
-http_access allow curfewOK
-http_access deny children curfew
-#http_access deny children gamedom
-# Now block the stage zero regex blocks that are to come before safe regex
-# holes; this is to allow certain parts of a regex to be blocked while the
-# safe.exp match (for example) lets through the rest.  For example, we might
-# have a "safe site" that has ads we want to block.
-#
-http_access deny adv0exp
-http_access deny bad0exp
-# Let through safe domains, but not expressions yet
-#
-http_access allow christdom
-http_access allow safedom
-http_access allow schooldom
-http_access allow employdom
-# 3. Block bad domains (domains which have no desirable content).
-#
-http_access deny baddom
-http_access deny violentdom
-http_access deny drugdomains
-http_access deny gambledom
-http_access deny deceptive
-http_access deny offensive
-http_access deny illegal
-http_access deny p2p
-# Ads and spam are last because I'd first want to tell people if the domain
-#   were bad for some other reason, and only as a last resort block it merely
-#   because it was spam.
-#
-http_access deny advdom
-http_access deny spamdom
-# 4. Let through safe expressions
-#
-http_access allow christexp
-http_access allow safeexp
-# 5. Everything else is denied.  Do NOT put the AllowedHosts ACL in here
-#    or you will defeat the white-list.
-#
-http_access deny all
-</code>
-----
-===== Children's curfew =====
-Include the following into the same **Allowed Subnets** box.  Place the RULES section at the bottom, but remember that RULES are processed top to bottom order until the first one that matches the criteria is met.
-<code>
-# If you have children who have their own computers and for whom
-# you want extra protection, then try this idea:
-#
-acl children    src             "/etc/ffilter/kids.IPs"
-acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
-#
-# On week-days the kids need to stop using the Internet at 10pm,
-# but on Friday and Saturday we let them go until midnight:
-#
-acl curfew time SMTWH   22:00-23:59
-acl curfew time SMTWHF  00:00-7:00
-# RULES:
-#
-# Children's curfew
-#
-http_access allow curfewOK
-http_access deny children curfew
-#http_access deny children gamedom
-</code>
-----
-===== References =====
-https://ispltd.org/server_guides:proxy
-https://doc.opensuse.org/documentation/leap/archive/15.0/reference/html/book.opensuse.reference/cha.squid.html