Wiki

User Tools

Site Tools

Trace: bild_de verylong.cpp python sftp dropbox networking files_system database_api arcade_games price_action
squid:acls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
squid:acls [2020/04/07 10:27] petersquid:acls [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 19: Line 19:
   * **name**:  Can be chosen arbitrarily.   * **name**:  Can be chosen arbitrarily.
   * **type**:  See  [[Squid:ACLs:ACL Types|ACL Types]] for the different options.  This can be also found in the ACCESS CONTROLS section in the /etc/squid/squid.conf file.   * **type**:  See  [[Squid:ACLs:ACL Types|ACL Types]] for the different options.  This can be also found in the ACCESS CONTROLS section in the /etc/squid/squid.conf file.
-  * **definition...**:  Depends on the individual ACL type and can also be read from a file.  For example, “via” host names, IP addresses, or URLs. +  * **definitions...**:  Depends on the individual ACL type and can also be read from a file.  For example, “via” host names, IP addresses, or URLs. 
  
  
Line 71: Line 71:
 The most useful feature is the **http_access** statement.  It works similar to the way a firewall would handle rules. The most useful feature is the **http_access** statement.  It works similar to the way a firewall would handle rules.
  
-For each request that Squid receives it will look through all the **http_access** statements in order until it finds a line that matches.+**http_access** defines who is allowed to use the proxy and who can access what on the Internet.
  
-It then either accepts or denys depending on your setting.+  * For each request that Squid receives it will look through all the **http_access** statements in order, from top to bottom. until it finds a line that matches. 
 +  * It then either accepts or denys depending on your setting
 +  * The remaining rules are ignored. 
 +  * The last entry should always be **http_access deny all**.
  
-The remaining rules are ignored. 
  
 The general syntax of an http_access line is: The general syntax of an http_access line is:
Line 86: Line 88:
  
 <code> <code>
-http_access allow accesses_from_admins +http_access allow access_from_admins 
-http_access deny accesses_to_porn_urls +http_access deny access_to_porn_urls 
-http_access allow accesses_during_lunchtime+http_access allow access_during_lunchtime
 http_access deny all http_access deny all
 </code> </code>
  
-This would allow accessing from the admins (whatever that ACL looks like – probably a src ACL pointing to the subnet where the admin workstations are in).+  * This would allow accessing from the admins (whatever that ACL looks like – probably a src ACL pointing to the subnet where the admin workstations are in)
 +  * For everyone else it will deny accesses to porn URLs. 
 +  * Then it would allow accesses from everyone to every web site during lunch time. 
 +  * And finally all other accesses would be denied.
  
-For everyone else it will deny accesses to porn URLs.+Example 2:
  
-Then it would allow accesses from everyone to every web site during lunch time.+<code> 
 +acl localhost src 127.0.0.1/32 ::1 
 +acl all src 0.0.0.0/0.0.0.0 
 +     
 +http_access allow localhost 
 +http_access deny all 
 +</code>
  
-And finally all other accesses would be denied.+  * localhost has free access to everything while all other hosts are denied access completely. 
 + 
 + 
 +Example 3: 
 + 
 +<code> 
 +acl localhost src 127.0.0.1/32 ::1 
 +acl all src 0.0.0.0/0.0.0.0 
 +acl teachers src 192.168.10.0/255.255.255.0  
 +acl students src 192.168.20.0-192.168.30.0/255.255.255.0  
 +acl lunch time MTWHF 12:00-13:00   
 +     
 +http_access deny localhost 
 +http_access allow teachers 
 +http_access allow students lunch time 
 +http_access deny all 
 +</code> 
 + 
 + 
 +  * The group teachers always has access to the Internet. 
 +  * The group students only has access between Monday and Friday during lunch time. 
 + 
 + 
 +<WRAP tip> 
 +**TIP**:  For readability, within the configuration file /etc/squid/squid.conf, specify all **http_access** options as a block. 
 +</WRAP>
  
 ---- ----
Line 128: Line 164:
 ===== Custom error pages (deny_info) ===== ===== Custom error pages (deny_info) =====
  
-By default when you deny access the user gets the error page that is stored in the ERR_ACCESS_DENIED file.+By default when you deny access the user gets the error page that is stored in the **ERR_ACCESS_DENIED** file.
  
-But luckily you can define your own custom error pages and display them when you deny certain accesses. A simple example:+But you can define your own custom error pages and display them when you deny certain access A simple example:
  
 <code> <code>
Line 149: Line 185:
 </code> </code>
  
-This will deny access only for the user from the IP address 10.0.5.16 when www.google.com is accessed. +  * This will deny access only for the user from the IP address 10.0.5.16 when www.google.com is accessed. 
- +    As you can see the ACLs admin and google are combined.  In such a combination the last ACL in the line is taken into account for lookups of **deny_info**. 
-As you can see the ACLs admin and google are combined.  In such a combination the last ACL in the line is taken into account for lookups of **deny_info**. +    So it’s important that you define a **deny_info** for the google ACL.
- +
-So it’s important that you define a **deny_info** for the google ACL.+
  
 ---- ----
squid/acls.1586255234.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki