Wiki

User Tools

Site Tools

Trace:
squid:acls:acl_example_usage

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
squid:acls:acl_example_usage [2020/04/06 14:44] – [http_access allow ACL_NAME] petersquid:acls:acl_example_usage [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 2: Line 2:
  
  
-===== ACL Syntax ===== 
- 
-The syntax for ACL is: 
- 
-<code> 
-acl ACL_NAME TYPE DATA 
-</code> 
- 
-  * **ACL_NAME**:  Can be chosen arbitrarily. 
-  * **TYPE**:  See  [[Squid:ACLs:ACL Types|ACL Types]] for the different options.  This can be also found in the ACCESS CONTROLS section in the /etc/squid/squid.conf file. 
-  * **DATA**:  Depends on the individual ACL type and can also be read from a file.  For example, “via” host names, IP addresses, or URLs.  
- 
- 
-==== http_access allow ACL_NAME ==== 
- 
-  *  **http_access** defines who is allowed to use the proxy and who can access what on the Internet. 
-    * This ACL must be defined. 
-    * **localhost** and **all** have already been defined above for which you can deny or allow access via deny or allow. 
-    * A list containing any number of http_access entries can be created, processed from top to bottom.  Depending on which occurs first, access is allowed or denied to the respective URL. 
-    * The last entry should always be **http_access deny all**.  In the following example, localhost has free access to everything while all other hosts are denied access completely: 
-  <code> 
-    acl localhost src 127.0.0.1/32 ::1 
-    acl all src 0.0.0.0/0.0.0.0 
-     
-    http_access allow localhost 
-    http_access deny all 
-</code> 
- 
-  * In another example using these rules, the group teachers always has access to the Internet. The group students only has access between Monday and Friday during lunch time: 
-  <code> 
-    http_access deny localhost 
-    http_access allow teachers 
-    http_access allow students lunch time 
-    http_access deny all 
-</code> 
- 
-  * For readability, within the configuration file /etc/squid/squid.conf, specify all http_access options as a block.  
-     
-==== url_rewrite_program PATH ==== 
- 
-  * With this option, specify a URL rewriter.  
- 
-==== auth_param basic program PATH ==== 
- 
-  * If users must be authenticated on the proxy, set a corresponding program, such as /usr/sbin/pam_auth. When accessing pam_auth for the first time, the user sees a login window in which they need to specify a user name and a password. In addition, you need an ACL, so only clients with a valid login can use the Internet: 
-  <code> 
-    acl password proxy_auth REQUIRED 
- 
-    http_access allow password 
-    http_access deny all 
-</code> 
- 
-  * In the acl proxy_auth option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.  
- 
-==== ident_lookup_access allow ACL_NAME ==== 
- 
-  * With this option, have an ident request run to find each user's identity for all clients defined by an ACL of the type src. Alternatively, use this for all clients, apply the predefined ACL all as the ACL_NAME. 
-  * All clients covered by ident_lookup_access must run an ident daemon. On Linux, you can use pidentd (package pidentd ) as the ident daemon. For other operating systems, free software is usually available. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL: 
-  <code> 
-    acl identhosts ident REQUIRED 
- 
-    http_access allow identhosts 
-    http_access deny all 
-</code> 
- 
-  *  In the acl identhosts ident option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names. 
-  *  Using ident can slow down access time, because ident lookups are repeated for each request.  
- 
- 
----- 
  
 ===== Allowed Subnets ===== ===== Allowed Subnets =====
Line 372: Line 302:
 </code> </code>
  
 +----
 +
 +===== url_rewrite_program PATH =====
 +
 +  * With this option, specify a URL rewriter. 
 +  * Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd, .vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
 +<code>
 +    url_rewrite_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
 +</code>
 +
 +The actual rewriter script that is called would be something like this:
 +
 +<code perl>
 +#!/usr/bin/env perl
 +$|=1;
 +while (<>) {
 +  $url = m/^([^ ]*)/;
 +  if ($url !~ /^http:\/\/www\.hostname\.com/) {
 +    $url =~ s@^http://www\.hostname\.com/(.*)@http://www.hostname.com/\1@;
 +    print "301:$url\n";
 +  } else {
 +    print "$url\n";
 +  }
 +}
 +</code>
 +
 +If it exists with abnormal program termination and this is in the cache.log:
 +
 +<code bash>
 +2012/03/23 19:26:12| helperOpenServers: Starting 5 'c:\squid\php\redirect.pl' processes
 +2012/03/23 19:26:12| ipcCreate: CHILD: c:\squid\php\redirect.pl: (8) Exec format error
 +2012/03/23 19:26:12| ipcCreate: PARENT: OK read test failed
 +2012/03/23 19:26:13| --> read returned 4
 +</code>
 +
 +Then could be to not place quotes around the path...
  
 ---- ----
 +
 +===== auth_param basic program PATH =====
 +
 +  * If users must be authenticated on the proxy, set a corresponding program, such as /usr/sbin/pam_auth. When accessing pam_auth for the first time, the user sees a login window in which they need to specify a user name and a password. In addition, you need an ACL, so only clients with a valid login can use the Internet:
 +  <code>
 +    acl password proxy_auth REQUIRED
 +
 +    http_access allow password
 +    http_access deny all
 +</code>
 +
 +  * In the acl proxy_auth option, using **REQUIRED** means that all valid user names are accepted.  REQUIRED can also be replaced with a list of permitted user names. 
 +
 +----
 +
 +===== ident_lookup_access allow ACL_NAME =====
 +
 +  * With this option, have an ident request run to find each user's identity for all clients defined by an ACL of the type src. Alternatively, use this for all clients, apply the predefined ACL all as the ACL_NAME.
 +  * All clients covered by ident_lookup_access must run an ident daemon. On Linux, you can use pidentd (package pidentd ) as the ident daemon. For other operating systems, free software is usually available. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL:
 +  <code>
 +    acl identhosts ident REQUIRED
 +
 +    http_access allow identhosts
 +    http_access deny all
 +</code>
 +
 +  *  In the acl identhosts ident option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
 +  *  Using ident can slow down access time, because ident lookups are repeated for each request. 
 +
 +
 +----
 +
  
 ===== References ===== ===== References =====
squid/acls/acl_example_usage.1586184272.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki